Hi Sumedha,
On Fri, Jul 26, 2013 at 2:59 PM, Sumedha Rubasinghe <[email protected]>wrote: > We need to attend to $subject. > > OAuth2 spec also recommends this in it's Threat Mitigation section. > > http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16#section-4.2 > "For those cases where the client is prevented from observing the contents > of the token, token encryption MUST be applied in addition to the usage of > TLS protection." > > Some design considerations. > 1. Should be configurable (default off), configured via identity.xml > 2. Need to consider token validation flow as well (hash should be > generated of incoming token & compared) > I had a look at the DAO used in AM and initially thought of handling this at that level (so that DB will have encrypted tokens) and having the non-encrypted key in other places rather than using an encrypted key throughout the sequence. But from a security perspective, not sure about the implications, given that there may be cases where plain text tokens may be used in logs etc, that will eventually expose the key and make the encryption useless. If I understood correctly, your suggestion is to use an encrypted token throughout the flow? 3. Should we also store encrypting algorithm as well? (for backward > compatibility if it changes after sometime) - Is this a real scenario? > > Thanks Rajeev > > > > -- > /sumedha > b : bit.ly/sumedha > -- Rajeev Sampath Senior Software Engineer WSO2, Inc.; http://www.wso2.com. Mobile:* +94716265766 *
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
