How can restrict the use of Issued access token of one machine in another machine

130 views Asked by At

I am using ThinkTecture idenity server v3 as Idenity provider. It issues me access tokens. I am using these access tokens for web API communication. It works perfectly.

My Question is If anyone got this issued token and try to access the web API using this access token, he/she got access. I verified it, I got the access. How can we restrict that the access token being used only by the issued machine?

1

There are 1 answers

0
leastprivilege On

You are right - there is currently only a standard for so called bearer tokens. Whoever has the token, can use it. That's why it is paramount to use transport protection for all network communication.

There are upcoming specs for proof of possession semantics and request signatures.

https://tools.ietf.org/wg/oauth/