Client-request token binding¶
Back-channel grant types such as token exchange or password, cannot associate the user sessions with specific devices or instances. To address this issue, Asgardeo introduced client request binding. The client-request binding type works with a parameter called tokenBindingId
. This parameter allows developers to explicitly associate user sessions with specific devices or instances.
Let's look into it in detail.
Note
Learn mroe about token binding and other token binding types supported by Asgardeo in the Token Binding documentation.
In client-request token binding, the tokenBindingId
parameter reflects the user session in a particular device or instance. The behavior of the client-request binding type depends on the type of access token (JWT or Opaque) and the grant type that you configure for the application.
For each type of access token, client-request token binding behaves as follows.
-
JWT
-
If the request does not contain a
tokenBindingId
, Asgardeo issues a new access token for every new token request with the same application, user and scope combination and revokes the previous tokens. -
If the request contains a
tokenBindingId
, Asgardeo issues a new access token for each uniquetokenBindingId
value. Issuing a new token does not revoke tokens issued for othertokenBindingId
values.
-
-
Opaque
-
If the request does not contain a
tokenBindingId
, Asgardeo issues the same access token for every new token request until the token expires. -
If the request contains a
tokenBindingId
, Asgardeo issues a new access token for each uniquetokenBindingId
value. Issuing a new token does not revoke tokens issued for othertokenBindingId
values.
-
Try it out¶
You can test the client-request token binding type in Asgardeo by following the steps below.
-
Create a standard-based application.
-
On the Asgardeo Console, create a standard-based application by selecting OAuth2.0 as the protocol.
-
Go to its Protocol tab and under Allowed grant types, select Password.
-
In Protocol > Access Token,
- select either JWT or Opaque as the Token type.
- select client-request as the Token binding type.
-
Click Update to save your changes.
-
-
Use a tool such as cURL or Postman to perform the password grant flow as follows. Provide any value for the
tokenBindingId
.curl -X POST -u "<client_id>:<client_secret>" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=password &username=<user_name> &password=<user_password> &tokenBindingId=uniqueId" https://api.asgardeo.io/t/<organization_name>/oauth2/token
-
Capture the access token from the response.
-
Perform an introspection and ensure the validity of the access token.
curl -X POST -u "client_id:client_secret" -H "Content-Type: application/x-www-form-urlencoded" -d "token=<your_access_token>" https://api.asgardeo.io/t/<organization_name>/oauth2/introspect
-
Repeat the steps for different
tokenBindingId
values and different token types and verify that the client-request behavior conforms to the patterns mentioned above.
Eventhough the client-request token binding type is tailored towards back-channel grant types, its versatility extends to support any other grants in Asgardeo. This flexibility allows developers to incorporate this feature into various use-cases, providing a more robust and secure solution for identity and access management.