Pavel on AsyncAPI

Appearance

Bearer Authentication

What is Bearer Authentication in HTTP?

Bearer Authentication in HTTP is a security scheme that involves using a bearer token for authentication. The term "bearer" refers to the fact that the possessor of the token (the "bearer") can access protected resources without further identification. Bearer tokens are typically sent in the HTTP Authorization header with the "Bearer" prefix.

Bearer Authentication is commonly used with JSON Web Tokens (JWT) and is a key component of OAuth 2.0 and OpenID Connect protocols. The token itself often contains claims about the entity and additional metadata, which can be used for both authentication and authorization purposes.

When to Use Bearer Authentication in HTTP

Bearer Authentication in HTTP is suitable for:

  • RESTful APIs requiring token-based authentication
  • Single-page applications (SPAs) communicating with backend services
  • Mobile applications accessing protected resources
  • Microservices architectures requiring stateless authentication
  • OAuth 2.0 and OpenID Connect implementations
  • Scenarios requiring short-lived, revocable access tokens
  • Applications with distributed authentication requirements
  • Systems where sessions are not appropriate or desired

When Not to Use Bearer Authentication in HTTP

Bearer Authentication in HTTP is not recommended for:

  • High-security environments requiring multi-factor authentication
  • Scenarios where the token might be exposed to untrusted clients
  • Applications without proper HTTPS/TLS implementation
  • Systems requiring long-lived sessions without refresh mechanisms
  • Environments where token size is a concern (some JWTs can be large)
  • Applications requiring fine-grained, request-level authorization
  • Legacy systems that cannot properly handle Authorization headers
  • Scenarios where the simplicity of API keys is sufficient

Pros and Cons

Pros

  • Stateless: No server-side session storage required
  • Portable: Can be used across different domains and services
  • Self-contained: Tokens can contain user information and permissions
  • Expiration: Built-in support for token expiration
  • Standard-based: Follows established standards (OAuth 2.0, JWT)
  • Scalability: Works well in distributed systems and microservices
  • Flexibility: Can include custom claims and metadata
  • Revocable: Can be revoked before expiration (with proper infrastructure)

Cons

  • Token Security: Bearer tokens must be protected as they grant access by possession
  • Token Size: JWT tokens can become large if they contain many claims
  • Complexity: More complex to implement correctly than simple authentication methods
  • Validation Overhead: Token validation requires cryptographic operations
  • Revocation Challenges: Stateless tokens are harder to revoke immediately
  • Token Storage: Secure client-side storage can be challenging
  • HTTPS Requirement: Must be used with HTTPS to prevent token interception
  • Clock Synchronization: Time-based validation requires synchronized clocks

Examples

Here's how to define a Bearer HTTP security scheme in AsyncAPI:

json
{
  "type": "http",
  "scheme": "bearer",
  "description": "Bearer token authentication"
}

Another example with a specified bearer format (JWT):

json
{
  "type": "http",
  "scheme": "bearer",
  "bearerFormat": "JWT",
  "description": "JWT bearer token authentication for API access"
}

Implementation Example

When implementing Bearer Authentication in your application:

  1. Set up a token issuing service (authorization server)
  2. Generate tokens with appropriate claims and expiration
  3. Sign tokens with a secure algorithm (e.g., RS256 for JWTs)
  4. Validate tokens on each request:
    • Check signature
    • Verify expiration
    • Validate issuer and audience
    • Extract identity and permissions
  5. Implement token refresh mechanisms for long-lived sessions
  6. Use HTTPS to protect tokens during transmission
  7. Store tokens securely on the client side
  8. Implement token revocation mechanisms if needed

The AsyncAPI specification for Bearer HTTP security follows this JSON Schema:

json
{
  "type": "object",
  "required": [ "type", "scheme" ],
  "properties": {
    "description": {
      "description": "A short description for security scheme. CommonMark syntax MAY be used for rich text representation.",
      "type": "string"
    },
    "type": {
      "description": "The type of the security scheme.",
      "type": "string",
      "enum": [ "http" ]
    },
    "bearerFormat": {
      "description": "A hint to the client to identify how the bearer token is formatted. Bearer tokens are usually generated by an authorization server, so this information is primarily for documentation purposes.",
      "type": "string"
    },
    "scheme": {
      "description": "The name of the HTTP Authorization scheme to be used in the Authorization header as defined in RFC7235.",
      "type": "string",
      "enum": [ "bearer" ]
    }
  }
}