TL;DR; Is there any way to bind a (Bearer?) token to a unique client, and represent that in the HTTP REQ Headers?
In the scenario that a user has an account to a service. The same user should be able to consume the services using different client applications (different Browsers, native mobile APPs). The best approach would be, for each distinct environment, a login process should be followed (OAuth2?) were each app acquires a token (bearer token). Then each client is able to consume the services, and by identifying them selves with the token, the services provider is able to scope their use.
This works fine most of the times, although what happens when the service provider wants to isolate the use of each token to the specific client?
For sure in a security incident, the provider can just drop the collection/table that holds the tokens, but wouldn't be better for the client to pass an md5 of their unique identifier (maybe a
md5(concat(app.version, environment.name, username))) along with their auth token?
P.S.: I think passing such value as a property inside the body's payload is invalid. Since such authentication step should happen while the server reads the HTTP headers.