Hi Thanuja, Did we consider sending the access token itself as a secure, http-only cookie to the browser instead of binding it to a separate cookie? This will also simplify the development on the client side, in case someone wants to build their own SPA.
Regards, Johann. On Mon, Sep 2, 2019 at 12:26 PM Thanuja Jayasinghe <than...@wso2.com> wrote: > Hi All, > > With the introduction of new IAM portal applications, there is a > requirement to provide additional security measures to secure these SPAs. > We have already implemented the OAuth2 authorization code flow(public > client) with PKCE for these applications and with this feature, it will be > possible to bind the access token to the browser instance. So, an > additional security measure will be enforced as the combination of the > access token and browser token(cookie) validated while accessing the IS > APIs. > Support for configuring this option using OAuth2 application configuration > and browser token persistence will be added as well. > > Updated request/response flow is as follows, > [image: Blank Diagram (1).png] > > Thanks, > Thanuja > > -- > *Thanuja Lakmal* > Technical Lead > WSO2 Inc. http://wso2.com/ > *lean.enterprise.middleware* > Mobile: +94715979891 > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev