1) How can we assure that Oauth client secret is safe. For a pure JS web app, it cannot be stored in the client since as it becomes a public value . For an android mobile app, it can be retrieved by decompiling the app binary.
2) We have to use refresh token to keep extending the “session” time of the active user . How do we avoid the token replay issue. if clientid and refresht token are shared , then we would be issuing access tokens without any validation (like 2FA). What kind of client binding can be done to the refresh token to ensure that access tokens are only provided in the same session and to the same client.
Regarding ,
1) How can we assure that Oauth client secret is safe. For a pure JS web app, it cannot be stored in the client since as it becomes a public value . For an android mobile app, it can be retrieved by decompiling the app binary.
2) We have to use refresh token to keep extending the “session” time of the active user . How do we avoid the token replay issue. if clientid and refresh token are shared , then we would be issuing access tokens without any validation (like 2FA). What kind of client binding can be done to the refresh token to ensure that access tokens are only provided in the same session and to the same client.
Hope it helps.
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |