A
A
Alexiuscrow2015-11-04 12:42:41
Java
Alexiuscrow, 2015-11-04 12:42:41

How to distinguish between devices requesting a token on an OAuth2 server?

There is a web application for issuing tokens to clients (OAuth2), where the "authorization code" authorization type is implemented.
At the moment, with each request of a client (application) that wants to get a token to use the resource api on behalf of one user, a new token is issued (regardless of which device the request was made from).
What needs to be done. Add the ability to issue different tokens for the same client who wants to get access to the resource api on behalf of the same user, but making a request from different devices.
Example.The "ClientApp" application installed on the home computer wants to receive a token for accessing the "PhotoService" web service on behalf of the "Max" user. To do this, the application "ClientApp" refers to the authorization service "OAuth2Service" to obtain a token, which will later access the "PhotoService". As a result, "ClientApp" still receives a token. When the "ClientApp" application installed on the work computer tries to obtain a token from the "OAuth2Service", it must be given a new token, while the old token obtained while using the home computer must remain valid. That is, the token must be tied to the device from which the request was made, the client (client_id) and the user, on behalf of which the client will use the resource api. For the same device, same client, same user, a new token must be returned, and the old one must be invalid.
How to distinguish the devices from which the request was made?
There are considerations that you can use the User-Agent from the header (example: "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:41.0) Gecko/20100101 Firefox/41.0"), but the same version can be installed on different devices browser, OS. In addition, the "User-Agent" parameter may not be present when accessing the authorization service.
Option #2 - pass the device description as a parameter when calling the authorization service. I have not seen such an implementation before, so this approach is doubtful.
Apache Oltu is used to implement the OAuth2 application.

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question