Reputation: 7812
OAuth2 Bearer token used like API_KEY
We want to make simple authorization for server-server HTTPS communication (we control both servers) like classic API_KEY: client has hardcoded (in a config) a key which use in every request. Server check if the key is valid.
Our colleague has implemented it like OAuth2 Bearer token (RFC6750)
Authorization: Bearer client_key
So the client has the client_key in the config, it's never refreshed. It works well, we have just a philosophical dispute in the company, if such "hardcoded" Bearer token is along with OAuth2 or not. (Disclaimer: I am not with any side of the dispute.)
Upvotes: 0
Views: 440
Answers (1)
Reputation: 53958
The OAuth 2.0 protocol basically defines an access_token - which is a token that is bound in time and permissions - and two protocol "legs":
- how to obtain and access token
- how to use/present an access token
You do not use access tokens (since your tokens are not bound in any way) and you've only "syntactically" implemented part 2. In fact you don't actually implement OAuth 2.0 in that case. You may present the client_key just as well in an HTTP Basic header or in a query parameter, it has nothing to do with OAuth 2.0 except that you're borrowing (arguably: abusing...) its header name and format.
Upvotes: 1
Related Questions
- Why Doesn't my Authorization Header need "Bearer"?
- What are Bearer Tokens and token_type in OAuth 2?
- What is the OAuth 2.0 Bearer Token exactly?
- Is OAuth2 Authorization header with "Bearer [access_token]" standard?
- Using an OAuth2 Bearer Token at later point in time
- How does Oauth2 (Bearer token) work when getting access_token
- Access Tokens in OAuth2?
- what's the difference between access token(Oauth1) and bearer token(Oauth2)
- OAuth2 returning JWT in place of access_token
- oAuth2.0 access token confusion