Any folks out there using Bearer Tokens in their REST Integrations?
We are looking at some enhancements to security for REST to make clients easier to program internally - better user experiences. I’d like to check if I am going to break anyone and if they had to work around the same ‘re-authenticate’ issue.
If anyone is using Bearer Tokens, I’d love to have a one on one.
Bart Elia
BElia at Epicor dot com
I’m not using that yet but we have a use case where we’re considering sending a REST link in email to perform actions in E10. How to authenticate is one of the questions.
Not using them yet, but we’d LOVE to be able to have Epicor use Azure AD for authentication purposes, which makes use of bearer tokens.
Mark W.
From: Authentication vs. authorization - Microsoft Entra | Microsoft Learn
Azure AD supports the OAuth 2.0 and OpenID Connect standards that make extensive use of bearer tokens, including bearer tokens represented as JWTs. A bearer token is a lightweight security token that grants the “bearer” access to a protected resource. In this sense, the “bearer” is any party that can present the token. Though a party must first authenticate with Azure AD to receive the bearer token, if the required steps are not taken to secure the token in transmission and storage, it can be intercepted and used by an unintended party. While some security tokens have a built-in mechanism for preventing unauthorized parties from using them, bearer tokens do not have this mechanism and must be transported in a secure channel such as transport layer security (HTTPS). If a bearer token is transmitted in the clear, a man-in the middle attack can be used by a malicious party to acquire the token and use it for an unauthorized access to a protected resource. The same security principles apply when storing or caching bearer tokens for later use. Always ensure that your application transmits and stores bearer tokens in a secure manner. For more security considerations on bearer tokens, see RFC 6750 Section 5
I know OAuth and OpenID well.
The JWT approach is supported via Azure through their Federation endpoint and is nicely done. WCF does not play nice with any of the OpenID / OAuth world though so 100% seamless is not possible (e.g. - Not supported by MS). There are workarounds - stay tuned.
I’d donate a kidney for OAuth 2.0 support since what I’m playing with requires it so I’m having to do my own middle man OAuth… YIKES
OK, I’ll donate Jose’s kidney too if that helps.
Sounds like I have two customer advisory volunteers, I know where you live…