Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>A credentials grant is only as secure as the authentication performed before handing out the access token. That's outside the specification they say. So that depends on whatever authentication regime you decide to put in front of giving out tokens in response to credential grants.</p> <p>Now, let's assume you've set up a nice secure way to get your credentials grant, or get an access token into your browser via a regular OAuth2 request.</p> <p>Under the OAuth2 specification you are free to MAC-digest portions, encrypt portions or protect the data within that token in any number of ways. The security of the access token in the browser depends on what information it contains - often times people design it to contain minimal information (userid, expiration-time, version, digest) and make it self-verifiable by your server (hence the digest). The contents of the token are virtually arbitrary. Some systems even give out access "codes" as proxies for the token.</p> <p>Now let's assume you have a protected "secure format" access token, with a time restriction. Lets consider a real-world example: Facebook and their OAuth2 implementation. Be it a full access token or an access code for server-side credential retrieval (each with time restrictions) you can send the token (or code) from the browser to secure access to a WebSocket, using the Kaazing Gateway.</p> <p>One of the things I've taken away from working with Kaazing's gateway is that OAUth2 really doesn't secure anything - you are free to hand out access tokens of arbitrary form. It's a good idea to make sure your credential-authentication scheme, the access_token format and the access_token lifetime are all good policy decisions - then you get security.</p> <p>The Kaazing Gateway will let you send arbitrary tokens into the Gateway and validate them with a JAAS login module that you write to verify them. The security of the regime is up to you and policy decisions.</p> <p>Regards,</p> <p>Steven Atkinson</p> <p>Gateway Server Developer, Kaazing</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload