We have HTTP Rest services and SignalR (aka Web sockets, server send events, etc) for cases in which we need to push data from the server to the Web UI . We are currently using the built in tools that come with ASP.NET (Web API 2, signalR, ASP.NET Identity and oAuth) for authentication.
There have been some concerns raised about solely using oAuth for authentication because someone could use your token if they got a hold of it. We recently have been considering using mutual authentication which would at least authenticate the client and ensure that requests are coming from authenticated devices. This approach still allows a valid client to obtain a token and (possibly unintentionally) share that same token another device that has a valid client cert. This token could still be used from another another device as long as that device had a valid client cert.
We do not have a lot of expertise in this area and was wondering if anyone had any ideas as to how to generate tokens that are associated with a particular client so that the server can reject tokens that did not come from the intended recipient of that token.
We are thinking that we cant be only ones who are facing this issue and we are hoping that there existing solution for this issue. Also note that we need to support JavaScript clients on mobile devices (...not sure if that matters but thought Id mention it).
Thanks in advance.
Thanks, Andrew
Aucun commentaire:
Enregistrer un commentaire