In modern web architectures, a security token is used to grant access to a protected resource. It typically is a string of random characters that is generated by an identity/authorization server in response to a login/identification request. Bearer tokens are a type of security tokens - one that has gained a lot of popularity due to the introduction of the OAuth2.0 standard. The name “bearer token” comes from the fact that the token can be used by anyone who has it. This is in contrast to other types of tokens, such as proof of possession (PoP) tokens, which can only be used by the specific client that was issued the token. If the PoP token is stolen, it cannot be used by anyone else.
The easiest way to remember this is that bearer tokens are a bit like cash - anyone who has cash can use it to access(buy) a protected resource(stuff). The cash need not be earned by you - you could have found it in a wallet by the wayside or it could have been given to you by someone else and yet you can use that cash to purchase anything that you would want. On the other hand, PoP tokens are a bit like credit cards - these are usually protected by a PIN that is only known by the owner of the card. If you find a credit card by the wayside, you most likely wont be able to use it as you will not know the PIN for the card.
Bearer tokens are typically used in conjunction with OAuth 2.0, but they can also be used with other authentication schemes. They are a popular choice because they are relatively easy to implement and they provide a secure way to grant access to protected resources. While the bearer tokens could just be any random string, nowadays theese are fully qualified JWT tokens signed using the keys of the identity/authorization server. By using JWTs as bearer tokens you gain a few advantages
- Self-contained: JWTs are self-contained, meaning that they contain all the information needed to authenticate a user
- Secure: JWTs are digitally signed, which means that they can be verified to ensure that they have not been tampered with. JWTs signed using asymmetric keys can be validated without actually contacting the identity/authorization server
- Efficient: JWTs are relatively small and efficient, which means that they can be easily transmitted over the network
- Flexible: JWTs can be used to transmit a variety of information, not just user authentication data. We should be really careful about this as there is a tendency to put the whole kitchen sink inside a JWT.
- Stateless: JWTs are stateless, which means that the server does not need to store any state about the user
- Standardized: JWTs are based on a standardized format, which makes them easy to understand and use
- Time Bound: JWTs typically have a IssuedAt (iat) or Expiry (exp) claims that can be used to determine if the token is still active at the time its being validated
Bearer tokens can easily be intercepted as they are usually transmitted as http request headers. Such intercepted tokens can be used by hacker to access the protected resource. While using JWTs makes it convenient to “overload” the security token to carry other information, it could also lead to leaking of sensistive data if not used in an appropriate manner.
While PoP tokens have obvious advantages over Bearer tokens, they are usually harder to implement. It also in most cases require a secure TLS channel or tunnel - which is usually achieved using MTLS. Its usage is limited to situations where security is paramount, such as banking or for financial transactions. PoP tokens are also not supported as widely as Bearer tokens in programming languages and software libraries.
Overall, bearer tokens are a popular choice for authentication because they are simple, effective, flexible, and efficient. They are a good choice for a variety of different applications and they can be used to improve the security and performance of those applications.