How to verify that oAuth2 access_token is used by same client to whom it was issued in Spring security?
Question
I have developed Spring REST API will serve as a back-end. It will be accessed by web application as well as mobile application. To make this API secure, I have used Spring's oAuth2 authentication. I know by using this architecture, my API is secured, but than also, is there any way to check whether the access_token is used from same client (application) to which it was issued?
2 answers
solution1
1 2017-09-08 07:07:53
In developing a similar application (not in Spring though) I faced somewhat of the same problem. What I decided to do for the time being is to generate a new token on every user request and pass it as a response header. This would at least mean that it would be impossible for a user to be logged in from 2 different clients at the same time.
I am not sure if this would be helpful for you though. I'm interested to see what other solutions would be offered here.
solution2
0 2017-09-08 08:12:51
In your scenario as you explained, there is no need to check whether access_token is used (sent) from the client to which it was issued. You can apply server-to-server OAuth2 authentication with JWT (JSON Web Token) to authenticate clients (applications). In that way access_token will only work with trusted clients, which have valid JWT.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.