On Fri, Jul 26, 2013 at 2:59 PM, Sumedha Rubasinghe <[email protected]>wrote:
> We need to attend to $subject. > > OAuth2 spec also recommends this in it's Threat Mitigation section. > > http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16#section-4.2 > "For those cases where the client is prevented from observing the contents > of the token, token encryption MUST be applied in addition to the usage of > TLS protection." > > Some design considerations. > 1. Should be configurable (default off), configured via identity.xml > 2. Need to consider token validation flow as well (hash should be > generated of incoming token & compared) > 3. Should we also store encrypting algorithm as well? (for backward > compatibility if it changes after sometime) - Is this a real scenario? > How we can store implementation of encryption algorithm? We can let users to implement encryption algorithm(this can be configurable through identity.xml). We can implement 1 algorithm and provide it with pack. We can add encode and decode method to oauth2 utils. So we can encode before store it in db and decode when validation happens. Also please note that we generate application access token directly from API manager impl bundle and put it to db we need to change that place as well. Thanks, Sanjeewa. > > > > > -- > /sumedha > b : bit.ly/sumedha > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- * * *Sanjeewa Malalgoda* WSO2 Inc. Mobile : +94713068779 <http://sanjeewamalalgoda.blogspot.com/>blog :http://sanjeewamalalgoda.blogspot.com/<http://sanjeewamalalgoda.blogspot.com/>
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
