Closed cotepatrice closed 10 years ago
brockallen
commented
10 years ago I'm a little confused on what you're trying to achieve or protect -- you are looking for a way to prevent abuse of a token is stolen? Or you're looking for a way to throttle abusive clients?
cotepatrice
commented
10 years ago Stolen tokens mostly
brockallen
commented
10 years ago Yea, your best bet for that is to limit the token lifetime.
cotepatrice
commented
10 years ago Thanks ! That's what I did.
I implement a web API 2 service (OWIN host based). I started with the samples I get from the solution for the client credentials flow and resource server 2. Everything works just fine but I realized that if I have got the Authorization: Bearer header (from Fiddler), I can rerun the same request over and over again without problem. I understand it is by design since OAuth 2 protocol doesn't mess with authentication. And the principle is that we grant permission to the client app, once and for all, so there's no need for reauthentication. Plus, the service is encrypted over SSL.
But in the corporate world, where we want to allow call from one machine in DMZ to another inside the domain (the one's that host the web API), we want to limit the possible attack range. It might be more suitable to use another flow ? Or just change the token lifetime in Authorization Server ?