Hi Thanuja, I have few questions on this.
How are we going to bind the token to the cookie (Is this a new entry to a table) ? Is this an existing cookie (may be commonAuth ID) or a new cookie ?. Furthermore, How are we going to handle the scenario where the same user logs in from multiple browsers ? Are we going to have multiple active tokens for same client, user with random scopes ? Or are we just revoking the old token if the same scopes are being used ?. Or else do we have the facility to have multiple active tokens for the same user, application with same scopes in latest IS versions ? On Mon, Sep 2, 2019 at 3:56 PM Thanuja Jayasinghe <[email protected]> wrote: > Hi All, > > With the introduction of new IAM portal applications, there is a > requirement to provide additional security measures to secure these SPAs. > We have already implemented the OAuth2 authorization code flow(public > client) with PKCE for these applications and with this feature, it will be > possible to bind the access token to the browser instance. So, an > additional security measure will be enforced as the combination of the > access token and browser token(cookie) validated while accessing the IS > APIs. > Support for configuring this option using OAuth2 application configuration > and browser token persistence will be added as well. > > Updated request/response flow is as follows, > [image: Blank Diagram (1).png] > > Thanks, > Thanuja > > -- > *Thanuja Lakmal* > Technical Lead > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
