Hi Nov, > Am 08.12.2018 um 00:20 schrieb Nov Matake <mat...@gmail.com>: > > For me, it seems very hard to issue TB-bound token for JS app and MTLS-bound > token for its backend server at same time.
Issuing TB tokens in case of implicit is anyway hard. You need to issue a HTTP redirect to the RS and the RS must respond by HTTP redirecting the user agent to the AS (including the referred TBID). This is a new flow requiring an additional security analysis. Obviously, the RS would see the state value and could modify the request. And the RS endpoint must be protected against open redirection. > > Do someone has workable recommendation for such case? Why do you need to issue access tokens to both parties, the frontend and the backend? I would assume a clear layering would either let the SPA or the backend perform the calls towards Resource EP. kind regards, Torsten.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
