The applications without back-end, issuing their request from a user-agent (the browser of the end user, the operating system of the host computer of a native application etc.) : the request will be issued with the IP of the user-agent connection, possibly masked by a proxy. Two types of applications must be distinguished with regard to the origin of the request :Īpplications "with back-end", ie sending their requests from a server : the request will be sent with the IP of the application server. This specification does not provide any methods for the resource server to ensure that an access token presented to it by a give client was issued to that client by the authorization server. The specification clearly describes this limitation (section 10.3) : Rather than rest on a notion of confidence area and trustable applications, the resource server must be able to verify the legitimacy of the token holder. Of course, if you address a token to a foreign resource, you must consider the token as a compromise because it can be used by a foreign application. In any case, the assumptions are never very good in terms of security. However, even in this case, a well-crafted attack could lead to stealing the token and exploit it with a foreign application. But note that, from the point of view of a resource server, trust does not result from a particular character of the application, but from the fact that it is located inside a space of confidence that we assume inaccessible to other applications. It can then be assumed that any application directed to the resources is allowed to receive a response. It can also be assumed that the resources are located in a subnet protected by a firewall that prohibits application requests from outside the subnet. If all the resource servers (RS) to which the tokens are transmitted belong to the same organization (corporate realm), we can hope that the tokens will not be compromised, that is to say accessible to applications outside the organization. The proposed RFC 6749 standard is quite clear on the need to use access tokens only between authorized parties (§ 10.3.) :Īccess token credentials (as well as any confidential access token attributes) MUST be kept confidential in transit and storage, and only shared among the authorization server, the resource servers the access token is valid for, and the client to whom the access token is issued. Include OKTA_ENDUSER as a value for the allowedOktaApps property to allow iFrame embedding of both Okta sign-in pages and the Okta End-User Dashboard.Consideration about the security of token transmission to resource servers (RS) When you use IFRAME_EMBED as the scope type, leave the allowedOktaApps property empty to allow iFrame embedding of only Okta sign-in pages. Supported values: CORS, REDIRECT, or IFRAME_EMBED. Trusted Origin object Trusted Origin propertiesĪ Trusted Origin defines several attributes: Field NameĪrray of Scope types that this Trusted Origin is used forĮach Scope object specifies the type of Scope that its Trusted Origin is used for. Passing an invalid Trusted Origin ID returns a 404 Not Found status code with error code E0000007. api/v1/trustedOrigins/tos10hzarOl8zfPM80g3" Response example Trusted Origins API operations Create Trusted OriginĬreates a new Trusted Origin Valid request example OAuth 2.0 and OIDC access tokens provide fine-grain control over the bearer's actions on specific endpoints. However, Okta recommends using scoped OAuth 2.0 and OIDC access tokens to authenticate with Okta management APIs. Note: Some of the curl code examples on this page include SSWS API token authentication. To enable it, contact Okta Support (opens new window). You can also configure Trusted Origins to allow iFrame embedding of Okta resources, such as Okta sign-in pages and the Okta End-User Dashboard, within that origin. If the origins aren't specified, the related operation (redirect or Okta API access) isn't permitted. Trusted Origins also enable browser-based applications to access Okta APIs from JavaScript (CORS). When external URLs are requested during sign-in, sign-out, or recovery operations, Okta checks those URLs against the allowed list of Trusted Origins. The Okta Trusted Origins API provides operations to manage Trusted Origins and sources.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |