What is the best way to prevent token Sharing?

Question

I'm looking for ideas to prevent customers from sharing oauth tokens, i.e. the customer that created the token should only be the one using it. What can one do on the server side to prevent this customer from sharing the token with someone else?

Answer 1

There are several IETF RFCs/drafts that try to provide a way to verify the client is the "owner" of the token. These specifications are related to the OAuth2 Framework Protocol, however they can be implemented in any other token exchange contexts.

They are namely:

• MAC Tokens: OAuth 2.0 Message Authentication Code (MAC) Tokens (seems to be abandonned)
• POP Tokens:
  • OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
  • OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
  • RFC7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

Another interesting protocol the Hawk Tokens: see https://github.com/hueniverse/hawk (Eran Hammer was an OAuth2 contributor)

As you will see it, all these specifications relies on a request signed by the client. This seems to be the best way to verify the client is allowed to use the token. Any other verification such as IP address, User Agent, Device ID... are not reliable as they can be spoofed.

Answer 2

In my own opinion, the best way to prevent token sharing is get the machine id of a pc, hardware serial etc. then make it as a token. before that register the gather machine id to your database. no one can access your web service except the register machine only.

Otherwise person id, can be use to search if exist in the database, i mean register the person id then verify first if they are registered or not but if the person give there person id to other person this could be a problem.

Hope it helps