Hi Prakhash, On Mon, Sep 23, 2019 at 4:34 PM Prakhash Sivakumar <prakh...@wso2.com> wrote:
> Hi Johann, > > On Sat, Sep 21, 2019 at 7:13 AM Johann Nallathamby <joh...@wso2.com> > wrote: > >> Hi Thanuja, >> >> Did we consider sending the access token itself as a secure, http-only >> cookie to the browser instead of binding it to a separate cookie? This will >> also simplify the development on the client side, in case someone wants to >> build their own SPA. >> > In this case if the access token is compromised the attacker can simply > inject the token to browser and perform the attack. So I don't see the > above option is providing an additional security that we are trying to > provide here. > Maybe you misunderstood my suggestion. What I meant was to have the access token itself stored in a secure http-only cookie from IS backend. So it cannot be compromised by XSS or something like that. Regards, Johann. > So IMO we should use such additional browser token as a cookie with > secure, http-only headers added. Maybe we can provide this as a > configurable feature if someone wants to build their own SPA and they wants > to omit this browser token. > > Thanks > >> >> Regards, >> Johann. >> >> On Mon, Sep 2, 2019 at 12:26 PM Thanuja Jayasinghe <than...@wso2.com> >> wrote: >> >>> Hi All, >>> >>> With the introduction of new IAM portal applications, there is a >>> requirement to provide additional security measures to secure these SPAs. >>> We have already implemented the OAuth2 authorization code flow(public >>> client) with PKCE for these applications and with this feature, it will be >>> possible to bind the access token to the browser instance. So, an >>> additional security measure will be enforced as the combination of the >>> access token and browser token(cookie) validated while accessing the IS >>> APIs. >>> Support for configuring this option using OAuth2 application >>> configuration and browser token persistence will be added as well. >>> >>> Updated request/response flow is as follows, >>> [image: Blank Diagram (1).png] >>> >>> Thanks, >>> Thanuja >>> >>> -- >>> *Thanuja Lakmal* >>> Technical Lead >>> WSO2 Inc. http://wso2.com/ >>> *lean.enterprise.middleware* >>> Mobile: +94715979891 >>> >> >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >> [image: Signature.jpg] >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > *Prakhash Sivakumar | Senior Software Engineer | WSO2 Inc* > *+94771510080 | prakh...@wso2.com <prakh...@wso2.com> > | https://medium.com/@PrakhashS <https://medium.com/@PrakhashS>* > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev