Reputation: 749
Can multiple bearer token supported in Authorization header
In JAVA based application, we are receiving JWT token through Authoriztion HttpHeader. As I know HttpHeader can contains multiple value against one Header Key.
So here want to know whether the Authoriztion http header can also contains multiple bearer token value in same header ? I know Authorization header can contains multiple token of different type like Basic, Bearer etc.
But can it also contains multiple same type of token as value ?
as example: (Whether it is valid or not)
"Authorization" : "Bearer XXXXXX1, Bearer XXXXX2"
Any RFC reference will be helpful.
Upvotes: 2
Views: 4891
Answers (1)
Reputation: 41
TLDR; It's possible and some server could be handling it but it's not RFC valid.
Long answer:
This can be valid, as defined in RFC7230, section 3.2.2, Field Order:
A recipient MAY combine multiple header fields with the same field name into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field value to the combined field value in order, separated by a comma. The order in which header fields with the same field name are received is therefore significant to the interpretation of the combined field value; a proxy MUST NOT change the order of these field values when forwarding a message.
Each "Bearer XXXX" should be considered as separate field-value.
So some servers may be able to handle it ...
... But the "Authorization" RFC (RFC7235, Appendix C) adds more rules specificaly for the Authorization header
Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) ]
auth-param = token BWS "=" BWS ( token / quoted-string )
So it seems you shouldn't be able to contains multiple token of different type like Basic, Bearer etc. As it accept only one auth-scheme
The RFC for Bearer (RFC6750 section2.1) is even more simple
b64token = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) *"="
credentials = "Bearer" 1*SP b64token
So it can contain multiple values of the same or different scheme, some server will accept it because it's a valid header,but it will not be RFC valid because the Authorization header is more restrictive.
Upvotes: 1
Related Questions
- Multiple JWT authorization token in Web API
- Is it possible to have multiple valid access tokens with the same client credentials?
- Mutliple Tokens in Authorization Header
- Can JWT authentication support multiple API?
- Spring Boot OAuth - Multiple Access Tokens for same user
- Jhipster OAuth 2.0 / OIDC Authentication Authorization header with bearer token
- Spring Oauth2 - multiple tokens per client id
- Spring OAuth2 Access Token in HTTP Header
- Mixing different bearer token types in OAuth
- Is it allowed per the oAuth2 specs to have multiple valid tokens per Resource Owner at the same time?