Hi All, In Identity Server DCR endpoints are secured with pluggable security layer where we can use Basic Authentication, Oauth, Certificate based authentication and any custom authentication. We have below evaluation on each method
1. Basic Authentication: From security perspective its clearly not applicable to embed super tenant or tenant credentials into native application. What is feasible here is to take end user credentials in run time and invoke DCR end point with end user credentials (need to set correct user permission to invoke DCR end point) 2. Certificate based Authentication: This is a good option but have few problems how to distribute certificate and also other application can access key chain which will be a security vulnerability (need to check with mobile expert) 3. Oauth based Authentication: Securing DCR endpoint with initial access token is a practice coming from DCR specification but the problem is how to store this initial access token securely in mobile application. WDYT? Thanks, Gayan -- Gayan Gunawardana Senior Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
