We need to attend to $subject. OAuth2 spec also recommends this in it's Threat Mitigation section.
http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16#section-4.2 "For those cases where the client is prevented from observing the contents of the token, token encryption MUST be applied in addition to the usage of TLS protection." Some design considerations. 1. Should be configurable (default off), configured via identity.xml 2. Need to consider token validation flow as well (hash should be generated of incoming token & compared) 3. Should we also store encrypting algorithm as well? (for backward compatibility if it changes after sometime) - Is this a real scenario? -- /sumedha b : bit.ly/sumedha
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
