What is the best practice to secure a bearer token obtained upon authenticating a daemon application on Azure AD OAuth 2.0 endpoint? Is it possible for the token to be sent only to a particular URL?
Asked
Active
Viewed 104 times
0
-
See https://stackoverflow.com/questions/1626575/best-practices-around-generating-oauth-tokens – Marc LaFleur Oct 13 '17 at 21:46
-
Possible duplicate of [Best practices around generating OAuth tokens?](https://stackoverflow.com/questions/1626575/best-practices-around-generating-oauth-tokens) – Marc LaFleur Oct 13 '17 at 21:46
-
My question is more specific to Azure AD. Is it possible to configure on Azure AD that the bearer token should be sent to only my app URL? – Vipin Chacko Oct 14 '17 at 08:54
-
There are a number of security measures specified by OAUTH 2.0. These are detailed in [RFC 6829: OAuth 2.0 Threat Model and Security Considerations](https://tools.ietf.org/html/rfc6819) – Marc LaFleur Oct 14 '17 at 15:16
1 Answers
0
My question is more specific to Azure AD. Is it possible to configure on Azure AD that the bearer token should be sent to only my app URL?
Not sure whether understand the question exactly, normally the token is issued to the corresponding resource exactly by the aud claim in the token. That's mean even you send your token other resource, it is invalid. If security you mean token-self like token leakage the client should save the token safely and the client and resource should communicate safely, for example we should use the HTTPS instead of HTTP.
Fei Xue
- 14,369
- 1
- 19
- 27