2 mintues OAuth: Bearer and Sender Constrained Tokens

In the episode #1, I have explained that OAuth uses metro ticket like “tokens” to access a protected resource. These are called bearer tokens as anybody who bears the token can use it. If you lose it, and someone picks it up, she can use it.

There is another type of token in OAuth. It is called “sender constrained token.” It is like an airline boarding pass. Only the person who is entitled to use it can use it. In the case of the airline boarding pass, the name on the boarding pass and the name on your passport must match, and the picture on the passport and your face must match. So, the token is bound to you. In an online scenario such as in the case of OAuth, this is usually done through a cryptographic key material. Unless you hold the key to prove that you are the entitled person, the token cannot be used. Because of this, such a token is often called Holder of Key Token.

In OAuth 2, you can use both types. In a simple low-risk case, a bearer token usually is used while in a higher risk scenario such as banking, a sender constrained token typically is chosen.

So, now you know what “bearer tokens”  and “sender constrained” tokens are.

Before you go, don’t forget to hit the subscribe button if you have not already.

In the next episode, I am going to talk about different endpoints in OAuth.


See you next time!

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.