5

Should I used custom HTTP Header to pass JSON web token or HTTP Authorization header in my RESTFul services.

I have already read Custom HTTP Authorization Header but could not understand clearly drawback, if I use header like - X-ABC-Token.

After reading REST Authorization: Username/Password in Authorization Header vs JSON body, I feel Authorization seems good choice.

If I use HTTP Authorization then I believe I can use scheme bearer to achieve this as mentioned in rfc6750

Please suggest me what are the best ways to pass this token in each HTTP request.

Improve this question

2 Answers 2

Reset to default
5

You shouldn't expand the standard features of the protocol if the existent ones solve your problem. The correct approach is to define your own authorization scheme for the Authorization header.

You can do something like:

Authorization: MyCompanyLogin token="abcdefg...."

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

So, I can use also like Authorization: "ABC" KJHGHJKJktyuioiuytrJHGFKJH"
So, every time token reach to sever, then value needs to be parse to verify "ABC" and then validate rest of token. I believe in same way I can send generated token to client by response.addHeader("Authorization ", " ABC " + generaetdToken);
What "ABC" is suppose to mean? That's not a valid format for the header.
Like Bearer Authorization: Bearer wertyuytrertyRiuytiuytrYTREUCj as said in stackoverflow.com/questions/7802116/… . Authorization: FIRE-TOKEN MFBONUoxN0hCR1pIVDdKS but I believe I should like Authorization: eyJwYXNzd29yZCI6IiQyYS
I was following example as given in this link massimilianosciacco.com/spring-security-jwt-authentication which says Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd
1

Browsers and proxies already know about the Authorization header. For example, responses to requests with an Authorization header are not cached or are cached just for one user.

In contrast, browsers and proxies don't know about your custom X-ABC-Token header. A proxy may return the same page to different users, even if that header is different. This makes it possible that one user sees the information of another user. This in turn can be disabled by using the header Cache-Control: private.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.