Hi Dinali, Please refer "Access Token Binding Type" row in [1].
[1] https://is.docs.wso2.com/en/5.10.0/learn/configuring-oauth2-openid-connect-single-sign-on/ Thanks, Thanuja On Tue, Mar 24, 2020 at 8:40 PM Dinali Dabarera <din...@wso2.com> wrote: > Hi all, > > Do we have an official public documents related to this approach, the > token binding mechanism used and other information? > > Thank you! > Dinali > > On Wed, Nov 20, 2019 at 7:55 PM Janak Amarasena <ja...@wso2.com> wrote: > >> Hi All, >> >> Currently, there is an OAuth2 Spec[1] under development with the key >> intention of sender-constraining OAuth 2.0 tokens via a proof-of-possession >> mechanism. Few takeaways from that which we could also use. >> We could introduce a new *token_type*[2] (like >> token_type=bound+cookie) for the cookie bound access token instead of the >> current bearer token as these tokens should be processed in a different way >> than the normal bearer tokens. >> Also if the service provider supports multiple token types we can let the >> application request a token type it wants by indicating it in some >> parameter when the application initiates a token requesting flow. >> >> [1] - https://tools.ietf.org/html/draft-fett-oauth-dpop >> [2] - https://tools.ietf.org/html/rfc6749#section-7.1 >> >> Best Regards, >> Janak >> >> On Thu, Oct 31, 2019 at 9:42 AM Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> Hi Darshana, >>> >>> On Sat, Sep 28, 2019 at 8:29 PM Darshana Gunawardana <darsh...@wso2.com> >>> wrote: >>> >>>> Hi Johann, >>>> >>>> On Sat, Sep 21, 2019 at 10:43 AM Johann Nallathamby <joh...@wso2.com> >>>> wrote: >>>> >>>>> Hi Thanuja, >>>>> >>>>> Did we consider sending the access token itself as a secure, http-only >>>>> cookie to the browser instead of binding it to a separate cookie? This >>>>> will >>>>> also simplify the development on the client side, in case someone wants to >>>>> build their own SPA. >>>>> >>>> >>>> Here which domain you assumed that the cookie will be set to? >>>> >>> >>> I meant to the IS server domain which is the domain where the APIs are >>> hosted. >>> >>> >>>> >>>> Assuming it the client's domain, there are two limitations. >>>> >>>> 1. Setting the token as a cookie is an additional task that client >>>> had to do since OP (in this case IS) cannot set cookies for some >>>> external >>>> client domain. >>>> 2. Having the token stored in http-only cookie block accessing it's >>>> from client-side scripts, which is a main blocker for SPAs. >>>> >>>> >>> Not client domain. >>> >>> >>>> >>>> Assuming it the server-side domain and assuming you want to >>>> automatically handle authorization for the API based on the access token >>>> that already present in the cookie, there are two concerns, >>>> >>>> 1. This will open up CSRF vulnerability as any malicious client >>>> running on the same browser can also access APIs successfully. >>>> >>>> Yes, your approach will prevent CSRF as well. +1. >>> >>>> >>>> 1. If the API gateway handling authorization in back-channel mode, >>>> 1. The cookie has to set to the API gateway's domain >>>> 2. API gateway has to do an additional non-standard way of >>>> handing this cookie and attach it to the authorization header. >>>> >>>> Yes, this is a possibility. But I wasn't proposing it in this case. >>> >>> Thanks for the clarification. >>> >>> Regards, >>> Johann. >>> >>> >>>> >>>> Thanks, >>>> >>>>> >>>>> Regards, >>>>> Johann. >>>>> >>>>> On Mon, Sep 2, 2019 at 12:26 PM Thanuja Jayasinghe <than...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> With the introduction of new IAM portal applications, there is a >>>>>> requirement to provide additional security measures to secure these SPAs. >>>>>> We have already implemented the OAuth2 authorization code flow(public >>>>>> client) with PKCE for these applications and with this feature, it will >>>>>> be >>>>>> possible to bind the access token to the browser instance. So, an >>>>>> additional security measure will be enforced as the combination of the >>>>>> access token and browser token(cookie) validated while accessing the IS >>>>>> APIs. >>>>>> Support for configuring this option using OAuth2 application >>>>>> configuration and browser token persistence will be added as well. >>>>>> >>>>>> Updated request/response flow is as follows, >>>>>> [image: Blank Diagram (1).png] >>>>>> >>>>>> Thanks, >>>>>> Thanuja >>>>>> >>>>>> -- >>>>>> *Thanuja Lakmal* >>>>>> Technical Lead >>>>>> WSO2 Inc. http://wso2.com/ >>>>>> *lean.enterprise.middleware* >>>>>> Mobile: +94715979891 >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions >>>>> Architect | WSO2 Inc. >>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >>>>> [image: Signature.jpg] >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> >>>> *Darshana Gunawardana*Technical Lead >>>> WSO2 Inc.; http://wso2.com >>>> >>>> *E-mail: darsh...@wso2.com <darsh...@wso2.com>* >>>> *Mobile: +94718566859*Lean . Enterprise . Middleware >>>> >>> >>> >>> -- >>> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect >>> | WSO2 Inc. >>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >>> [image: Signature.jpg] >>> _______________________________________________ >>> Architecture mailing list >>> architect...@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >> >> >> -- >> *Janak Amarasena* | Senior Software Engineer | WSO2 Inc. >> (m) +94777764144 | (w) +94112145345 | (e) ja...@wso2.com >> >> >> <https://wso2.com/signature> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> > > > -- > *Dinali Rosemin Dabarera* > Senior Software Engineer > IAM Domain > WSO2 Lanka (pvt) Ltd. > Web: http://wso2.com/ > Email : gdrdabar...@gmail.com > LinkedIn <https://lk.linkedin.com/in/dinalidabarera> > Mobile: +94770198933 > > > > > <https://lk.linkedin.com/in/dinalidabarera> > > > > > > > > > > > > > > -- *Thanuja Lakmal* Technical Lead WSO2 Inc. http://wso2.com/ *lean.enterprise.middleware* Mobile: +94715979891
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev