5

Should I used custom HTTP Header to pass JSON web token or HTTP Authorization header in my RESTFul services.

I have already read Custom HTTP Authorization Header but could not understand clearly drawback, if I use header like - X-ABC-Token.

After reading REST Authorization: Username/Password in Authorization Header vs JSON body, I feel Authorization seems good choice.

If I use HTTP Authorization then I believe I can use scheme bearer to achieve this as mentioned in rfc6750

Please suggest me what are the best ways to pass this token in each HTTP request.

Community
  • 1
  • 1
Vijay Kumar Rajput
  • 969
  • 1
  • 9
  • 27

2 Answers2

4

You shouldn't expand the standard features of the protocol if the existent ones solve your problem. The correct approach is to define your own authorization scheme for the Authorization header.

You can do something like:

Authorization: MyCompanyLogin token="abcdefg...."

Pedro Werneck
  • 38,032
  • 6
  • 53
  • 74
  • So, I can use also like `Authorization: "ABC" KJHGHJKJktyuioiuytrJHGFKJH"` – Vijay Kumar Rajput Nov 22 '15 at 21:09
  • So, every time token reach to sever, then value needs to be parse to verify "ABC" and then validate rest of token. I believe in same way I can send generated token to client by `response.addHeader("Authorization ", " ABC " + generaetdToken);` – Vijay Kumar Rajput Nov 22 '15 at 21:17
  • What "ABC" is suppose to mean? That's not a valid format for the header. – Pedro Werneck Nov 22 '15 at 21:31
  • Like Bearer `Authorization: Bearer wertyuytrertyRiuytiuytrYTREUCj` as said in http://stackoverflow.com/questions/7802116/custom-http-authorization-header . `Authorization: FIRE-TOKEN MFBONUoxN0hCR1pIVDdKS` but I believe I should like `Authorization: eyJwYXNzd29yZCI6IiQyYS` – Vijay Kumar Rajput Nov 22 '15 at 23:32
  • I was following example as given in this link http://massimilianosciacco.com/spring-security-jwt-authentication which says `Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd` – Vijay Kumar Rajput Nov 22 '15 at 23:34
0

Browsers and proxies already know about the Authorization header. For example, responses to requests with an Authorization header are not cached or are cached just for one user.

In contract, browsers and proxies don't know about your custom X-ABC-Token header. A proxy may return the same page to different users, even if that header is different. This makes it possible that one user sees the information of another user. This in turn can be disabled by using the header Cache-Control: private.

Community
  • 1
  • 1
Sjoerd
  • 68,958
  • 15
  • 118
  • 167