I am setting up OAUTH2 for my web application. Imagine the case, an entity ABC was authenticated and received an access token from my web application.
Is it necessary to ensure that the subsequent requests containing this access token from the entity ABC are indeed coming in from the entity ABC by having extra validation fields that only ABC is aware of.
OR, Should I grant access to anyone with this access token no matter who they are, believing that anyone who has this access token is indeed the entity ABC?
As it's my responsibility to secure the access token transmission to the entity ABC
Aucun commentaire:
Enregistrer un commentaire