Identity & Access Management

Elevating Security with Asgardeo’s “client-request” Token Binding Type

In the ever-evolving landscape of identity and access management, Asgardeo, in collaboration with WSO2 Identity Server, introduces a new binding type known as the “client-request” token binding type. This addition is designed to address challenges faced by applications, especially those employing back-channel grant types like token exchange or password grants.

Traditionally, applications utilizing back-channel flows encountered challenges in associating user sessions with specific devices or instances, unlike their counterparts using browser-based cookie or SSO-session binding. This gap prompted the development of the “client-request” token binding type, aiming to bridge the divide and offer a more comprehensive solution for diverse application deployment scenarios.

The “client-request” binding type introduces a parameter called “tokenBindingId,” allowing developers to explicitly associate user sessions with specific devices or instances. This parameter is unique for each instance, ensuring a secure and tailored solution for applications that involve multiple instances and utilize back-channel grant types.

During the application registration process, developers can opt for the “client-request” binding type. By selecting this binding type, they gain the ability to include the “tokenBindingId” parameter in the token request. This parameter plays a pivotal role in reflecting the user session in a particular device or instance.

The behavior of the “client-request” token binding type varies depending on the chosen token type (JWT or Opaque) and grant type (code or password). Let’s delve into the details:

1. JWT Token Type:

• Without tokenBindingId: For every new token request (with the same application/user/scope combination), a new access token is issued, and previous tokens are revoked.
• With tokenBindingId: New access tokens are issued for each request, but previous tokens are not revoked unless the tokenBindingId is similar.

2. Opaque Token Type:

• Without tokenBindingId: Same access token is issued until it expires.
• With tokenBindingId: A new access token is issued for each request unless the tokenBindingId is similar.

Certainly! To try out the “client-request” token binding type for the password grant flow in Asgardeo and perform an introspection call, follow these steps:

Try out

1. Signup / Login to Asgardeo
2. Go to applications page and choose to create standard based application and go with oauth2.0 standard
3. Create the application
4. Enable the password grant flow for your application
5. Choose “client-request” Token Binding Type

Fig.1. Screenshot taken from Asgardeo console application protocol edit page

6. Can choose between JWT and opaque token types

7. Get Access Token:

• Use a tool like cURL or Postman to perform a password grant flow.
• Make a POST request to the token endpoint with the client credentials, username, password, and “tokenBindingId.”

curl -X POST \
  -u "<client_id>:<client_secret>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&username=<user_name>&password=<user_password>&tokenBindingId=uniqueIdd" \
  https://api.asgardeo.io/t/<organization>/oauth2/token

Replace placeholders with your actual values.

8. Capture Access Token from the response

9. Perform Introspection Call using the captured access token to make an introspection call.

curl -X POST \
  -u "client_id:client_secret" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=your_access_token" \
https://api.asgardeo.io/t/<organization>/oauth2/introspect

Replace placeholders with your actual values.

10. Analyze the introspection response.

11. Try another password grant token call but with different tokenBindingId and see the user can obtain multiple active access token.

12. Confirm the behaviour as mentioned above

By these steps, you can test the “client-request” token binding type for the password grant flow in Asgardeo and verify the token behavior using introspection calls.

The “client-request” token binding type is tailored for back-channel grant types, but its versatility extends to support any other grants in Asgardeo such as code grant. This flexibility allows developers to incorporate this feature into various use-cases, providing a more robust and secure solution for identity and access management.

Asgardeo’s introduction of the “client-request” token binding type, now featuring the “tokenBindingId” parameter, represents a significant leap forward in addressing challenges faced by applications utilizing back-channel grant types. This feature not only enhances security but also provides developers with the flexibility to manage user sessions in diverse deployment scenarios. By incorporating the “tokenBindingId” parameter, Asgardeo ensures a unique and secure association between user sessions and specific devices or instances, paving the way for a more resilient identity and access management framework.