Token binding¶
When a user logs in to an application, the server issues an authentication token, such as a session cookie, to the user. The client then sends this token with each subsequent request to prove the user’s identity. However, if this authentication token is not securely tied to the communication channel, an attacker can intercept this token and use this token to impersonate the user and gain unauthorized access.
Token binding is a security mechanism in web protocols to establish a secure connection between an authentication token and the client device that holds it. The primary purpose of token binding is to prevent unauthorized token theft and replay attacks.
Asgardeo supports the following token binding types for your OIDC applications.
Note
-
Learn how you can register your application in Asgardeo and configure OIDC settings such as token binding for your applications.
-
Learn more about the grant types of Asgardeo.
Cookie¶
Cookie token binding method binds the token to the cookie named atbv with Secure and httpOnly parameters. This method is supported with the authorization code grant type.
SSO-session¶
SSO-session token binding method binds the access token to the login session. Asgardeo issues a new access token for each new login and revokes the token upon logout. This method is supported with the authorization_code grant type.
Certificate¶
Certificate token binding method binds the access token to the hash of the TLS certificate passed in the request. This method is supported with all grant types.
Device flow¶
Device flow token binding method binds the token to the device_code sent in the device flow grant type token call.
Client-request¶
Client-request token binding method is introduced by Asgardeo for back-channel grant types such as token exchange and password. It binds the token to the tokenBindingId sent in the authentication request.