3

Using jupyterhub 0.8.1. while making Rest-Api calls to Jupyterhub (for user/services and Servers management in Jupyterhub) we need to provide Authorization headers with Value

e.g. "token e9f6bdea27b5e3d2bs906ad1de0d2739"

e.g. of header

Authorization: token e9f6bdea27b5e3d2bs906ad1de0d2739

Is there any explanation for "token" keyword in value of header?

Dmitriy
  • 3,305
  • 7
  • 44
  • 55
Sangram Gaikwad
  • 764
  • 11
  • 21
  • Apart from insights in Token based authentication. my question was on the practice of adding "token" keyword in pattern Authorization: ? Does it have any security advantages or is it just an accepted practice? Bcoz even without the "token" keyword the credentials and Authentication still holds good. – Sangram Gaikwad Mar 08 '18 at 11:28

2 Answers2

1

The Authorization: <type> <credentials> pattern was introduced by the W3C in HTTP 1.0, and has been reused in many places since. Many web servers support multiple methods of authorization. In those cases sending just the token isn't sufficient.

Sites that use the

Authorization : token cn389ncoiwuencr

format are most likely implementing OAuth 2.0 tokens.The OAuth 2.0 Authorization Framework sets a number of other requirements to keep authorization secure, for instance requiring the use of HTTPS/TLS.

For more explantion:

Token Based Authentication

Having to send the username and the password with every request is inconvenient and can be seen as a security risk even if the transport is secure HTTP, since the client application must have those credentials stored without encryption to be able to send them with the requests.

An improvement over the previous solution is to use a token to authenticate requests.

The idea is that the client application exchanges authentication credentials for an authentication token, and in subsequent requests just sends this token.

Tokens are usually given out with an expiration time, after which they become invalid and a new token needs to be obtained. The potential damage that can be caused if a token is leaked is much smaller due to their short life span.

Abdullah Ahmed Ghaznavi
  • 1,978
  • 3
  • 17
  • 27
  • Thanks for your insight in Token based Authentication. But my question was on the practice of adding "token" keyword in pattern Authorization: ? Does it have any security advantages or is it just an accepted practice? – Sangram Gaikwad Mar 08 '18 at 11:26
1

Authorization is a request header. The browser sends this header to the server to authenticate the client.

The syntax for the Authorization header is: 

Authorization: <type> <credentials>

In your example, token is the name of the authentication scheme to be used to authenticate the user.

There are other schemes (types) of authentication/authorization, for example Basic, Bearer, OAuth, etc. That means, all these keywords can also take the place of token keyword in the header depending on which scheme is being used.

Every authentication scheme has it's own way of authenticating the client.

So, the keyword token tells the server to use token auth scheme to authenticate this client. Without this keyword, the server wouldn't know how to authenticate the user.

Example:

Let's talk about Basic auth a little. The Authorization header would look like this in case of Basic auth:

Authorization: Basic asldkfj89s7flsjfl==

                     \_________________/
                             |
                      This part is base64 encoding of 
                      <username:password> of the client

So, when the request reaches the server, it can tell which type of authentication scheme the client is using to authenticate itself. From the above example, it's Basic auth.

In Basic auth, the <credentials> part is a base64 encoding of the client's <username:password>. Now, the server knows that this is Basic auth, so it will know how to authenticate the client - by decoding the base64 credentials and looking at the username and password.

If it were some other auth scheme, server will process the <credentials> in a different way to authenticate the user.

xyres
  • 20,487
  • 3
  • 56
  • 85
  • Apart from insights in Token based authentication. my question was on the practice of adding "token" keyword in pattern Authorization: ? Does it have any security advantages or is it just an accepted practice? Bcoz even without the "token" keyword the credentials and Authentication still holds good. – Sangram Gaikwad Mar 08 '18 at 11:31
  • 1
    @SangramGaikwad I do mention in the answer the role of `token` keyword. It is to let the server know to use `token` auth to authenticate the user. Since there are many more authentication schemes and each have different methods of authentication, basically the `token` keyword or `Basic` keyword lets the server know which scheme to use. I agree without the `token` keyword, the credentials would still work, if there weren't other methods of authentication. – xyres Mar 08 '18 at 11:39