Hi Johann, On Sat, Sep 21, 2019 at 7:13 AM Johann Nallathamby <joh...@wso2.com> wrote:
> Hi Thanuja, > > Did we consider sending the access token itself as a secure, http-only > cookie to the browser instead of binding it to a separate cookie? This will > also simplify the development on the client side, in case someone wants to > build their own SPA. > In this case if the access token is compromised the attacker can simply inject the token to browser and perform the attack. So I don't see the above option is providing an additional security that we are trying to provide here. So IMO we should use such additional browser token as a cookie with secure, http-only headers added. Maybe we can provide this as a configurable feature if someone wants to build their own SPA and they wants to omit this browser token. Thanks > > Regards, > Johann. > > On Mon, Sep 2, 2019 at 12:26 PM Thanuja Jayasinghe <than...@wso2.com> > wrote: > >> Hi All, >> >> With the introduction of new IAM portal applications, there is a >> requirement to provide additional security measures to secure these SPAs. >> We have already implemented the OAuth2 authorization code flow(public >> client) with PKCE for these applications and with this feature, it will be >> possible to bind the access token to the browser instance. So, an >> additional security measure will be enforced as the combination of the >> access token and browser token(cookie) validated while accessing the IS >> APIs. >> Support for configuring this option using OAuth2 application >> configuration and browser token persistence will be added as well. >> >> Updated request/response flow is as follows, >> [image: Blank Diagram (1).png] >> >> Thanks, >> Thanuja >> >> -- >> *Thanuja Lakmal* >> Technical Lead >> WSO2 Inc. http://wso2.com/ >> *lean.enterprise.middleware* >> Mobile: +94715979891 >> > > > -- > *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | > WSO2 Inc. > (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com > [image: Signature.jpg] > _______________________________________________ > Dev mailing list > d...@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > -- *Prakhash Sivakumar | Senior Software Engineer | WSO2 Inc* *+94771510080 | prakh...@wso2.com <prakh...@wso2.com> | https://medium.com/@PrakhashS <https://medium.com/@PrakhashS>*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture