Hi Thorsten,
do you mean that for service2service communication or for the frontend to
backend communication?
How would that process look like in a nutshell?
Thanks!
David
Am 22. Juli 2019 14:30:41 MESZ schrieb Torsten Lodderstedt
:
>Hi David,
>
>> On 12. Jun 2019, at 04:01, David Waite
>
Hi David,
> On 12. Jun 2019, at 04:01, David Waite wrote:
>
> To prevent exfiltration, the options are limited.
> - Token Binding will work, but only currently has support in Edge.
> - Mutual TLS will work, but has a poor experience unless you are deploying
> alongside group policy.
> - DPoP
> On Jul 3, 2019, at 1:44 AM, da...@davidsautter.de wrote:
> I understood, that you could also secure this variant of the Authorization
> Code Flow with PKCE in order to protect the redirect steps. I noticed, that
> this is rarely discussed "in public" (e.g. blogs, Stackoverflow etc) because
On Jun 10, 2019, at 2:06 AM, David Sautter wrote:
> I understood the following: Using a backend service for doing the exchange of
> the auth code for the token with the IdP is considered more secure, because
> one cannot trust the browser to store the tokens securely. The drawback is
> that yo
Hello,
I'm trying to get my head around the current recommendation for using
OpenId Connect with an SPA, that cannot directly communicate with a
stateful backend for holding a session.
First I thought the Implicit Flow would be the way to go, then I noticed
that it isn't recommended anymore
