I'm making an authorization system in PHP
, and I came across this Bearer scheme of passing JWT tokens, I read [RFC 6750][1]. I've got the following doubts:
- How is this improving the security?
- The server responses the client with a JWT token in its body after a successful authorization and login, and now when the client makes another request, I am not clear how to actually do that, I want to send token from client in Authorization header in the request, so now should I just prefix "Bearer" to the token which I received in the previous response from the server and If yes, then server on receiving the Authorization header, should just split the string with space, and take the second value from the obtained array and then decode it? For example
Authorization: Bearer fdbghfbfgbjhg_something
, how is server supposed to handle this,decodeFunc(explode(" ", $this->getRequest()->getHeader("Authorization"))[1])
? [1]: https://www.rfc-editor.org/rfc/rfc6750
$headers
I am returning, It will have, say:Bearer <space> <AuthToken>
so now, is it right to just explode the string by space and take the actual token, or the full string(Bearer <space> <token>)
is supposed to be taken as a whole? – Pandich