Hi Torsten, > On Dec 8, 2018, at 22:20, Torsten Lodderstedt <tors...@lodderstedt.net> wrote: > > Hi Nov, > >> Am 08.12.2018 um 00:20 schrieb Nov Matake <mat...@gmail.com>: >> >> For me, it seems very hard to issue TB-bound token for JS app and >> MTLS-bound token for its backend server at same time. > > Issuing TB tokens in case of implicit is anyway hard. You need to issue a > HTTP redirect to the RS and the RS must respond by HTTP redirecting the user > agent to the AS (including the referred TBID). This is a new flow requiring > an additional security analysis. Obviously, the RS would see the state value > and could modify the request. And the RS endpoint must be protected against > open redirection.
I understood. But even using code flow, issuing TB-bound access token has same difficulty, doesn't it? I don’t think this issue is relate to implicit flow. >> Do someone has workable recommendation for such case? > > Why do you need to issue access tokens to both parties, the frontend and the > backend? I would assume a clear layering would either let the SPA or the > backend perform the calls towards Resource EP. My client wanted to access Facebook API both from SPA (for realtime use case) and its backend (for batch processing). This is normal motivation for developers using "response_type=code+token" today. Using backend server as the API gateway for all API calls causes performance issue. > kind regards, > Torsten. > _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
