How to properly use Bearer tokens?

PhpAuthenticationOauthHttp HeadersBearer Token

Php Problem Overview

I'm making an authorization system in PHP, and I came across this Bearer scheme of passing JWT tokens, I read [RFC 6750][1]. I've got the following doubts:

  1. How is this improving the security?
  2. The server responses the client with a JWT token in its body after a successful authorization and login, and now when the client makes another request, I am not clear how to actually do that, I want to send token from client in Authorization header in the request, so now should I just prefix "Bearer" to the token which I received in the previous response from the server and If yes, then server on receiving the Authorization header, should just split the string with space, and take the second value from the obtained array and then decode it? For example Authorization: Bearer fdbghfbfgbjhg_something, how is server supposed to handle this, decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])? [1]: https://www.rfc-editor.org/rfc/rfc6750

Php Solutions

Solution 1 - Php

1.Improving the security because if token is not sent in the header that sent in url, it will be logged by the network system, the server log ....

2.A good function to get Bearer tokens

/** 
 * Get header Authorization
 * */
function getAuthorizationHeader(){
    $headers = null;
    if (isset($_SERVER['Authorization'])) {
		$headers = trim($_SERVER["Authorization"]);
	}
    else if (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
		$headers = trim($_SERVER["HTTP_AUTHORIZATION"]);
	} elseif (function_exists('apache_request_headers')) {
		$requestHeaders = apache_request_headers();
		// Server-side fix for bug in old Android versions (a nice side-effect of this fix means we don't care about capitalization for Authorization)
		$requestHeaders = array_combine(array_map('ucwords', array_keys($requestHeaders)), array_values($requestHeaders));
		//print_r($requestHeaders);
		if (isset($requestHeaders['Authorization'])) {
			$headers = trim($requestHeaders['Authorization']);
		}
	}
    return $headers;
}

/**
 * get access token from header
 * */
function getBearerToken() {
    $headers = getAuthorizationHeader();
	// HEADER: Get the access token from the header
	if (!empty($headers)) {
		if (preg_match('/Bearer\s(\S+)/', $headers, $matches)) {
            return $matches[1];
		}
	}
	return null;
}

Solution 2 - Php

I would recommend to use the following RegEx to check, if it's a valid jwt-token:

/Bearer\s((.*)\.(.*)\.(.*))/

and access it also with matches[1].

This is the structure of a JWT-Token, see: https://jwt.io/

Categories
Recommended Php Solutions
Recommended Authentication Solutions
Recommended Oauth Solutions
Recommended Http Headers Solutions
Recommended Bearer Token Solutions

Previous Solution:

Redux can I use one action type in separate reducers?

ReduxReact Redux

Next Solution:

Can I add a channel to a specific conda environment?

PythonEnvironmentConda

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionAshish RanjanView Question on Stackoverflow
Solution 1 - PhpNgô Văn ThaoView Answer on Stackoverflow
Solution 2 - PhpUnkn0wn0xView Answer on Stackoverflow