Hi All, With the introduction of new IAM portal applications, there is a requirement to provide additional security measures to secure these SPAs. We have already implemented the OAuth2 authorization code flow(public client) with PKCE for these applications and with this feature, it will be possible to bind the access token to the browser instance. So, an additional security measure will be enforced as the combination of the access token and browser token(cookie) validated while accessing the IS APIs. Support for configuring this option using OAuth2 application configuration and browser token persistence will be added as well.
Updated request/response flow is as follows, [image: Blank Diagram (1).png] Thanks, Thanuja -- *Thanuja Lakmal* Technical Lead WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
