I am working on a study of the web API methodology and the API as a whole.
I am currently studying authentication.
I know that there are several ways to authenticate and authorize an API. The most common is a bearer token.
I also see SAML, and I know about x509 (from my WCF days).
Today I want to talk about token. The carrier token is passed as the header. The headers are not encrypted, cannot be encrypted ?, therefore, it may be possible for someone to capture the specified token and impersonate the user without consent. This is my view on the carrier token. It seems today many popular services use this authentication method for the API.
What other options exist besides the carrier token, but are more or less as safe as HMACing for message, etc.
I seem to be a little versed in many authentication methods. I am trying to understand more and would like to create a very secure API that allows you to use SSO (Single sign on). If the carrier token is a way, then itβs excellent, itβs very simple and from a turnkey solution. If there is something better and safer, I am open to this, even if the work and time are much longer than the carrier token.
I donβt know why I donβt like the sound of the carrier marker, but it just seems easy to attack and use. Especially for service type payment.
Thanks!
source share