search cancel

CA API Management OAUTH Toolkit - Token Security

book

Article ID: 214223

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Administrators and security operations teams may be concerned with how the OAUTH tokens are stored in the OTK Database regarding the ability for bad actors to perform malicious activities such as intercepting and cross-site schemes. 

 

 

Environment

Release : 9.4 and 10.x

Component : CA API Layer 7 OAUTH Toolkit

Resolution

OAUTH tokens do not require encryption in the OTK database because they are random UUID's generated as opaque tokens and not related to any identifiable client info.

The OAuth 2.0 Authorization Framework

You can search for the word Opaque in this reference material for a deeper understanding.

https://tools.ietf.org/html/rfc6749

Additional Information

Opaque Token

An opaque value used by the client to maintain state between the request and callback.  The authorization server includes this value when redirecting the user-agent back to the client.  The parameter SHOULD be used for preventing cross-site request forgery

OAuth Request Scenarios

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-management-oauth-toolkit/4-4/oauth-request-scenarios.html