1.5 KiB
Security
In general most OAuth 2.0 security guidelines apply to Jackson as well but there are a few minor differences.
Tenancy
OAuth 2.0 is typically a single instance and all users can login using the same instance. However SAML is based on an specific instance that your customers have to configure with their Identity Provider. This means that access to the SAML instance is limited to only those that have been provisioned for it, adding another layer of security to the login flow.
Client Secret
The Config API returns a client_id
and client_secret
that you can save for each customer and use when initiating the OAuth 2.0 flow. However for convenience we also let you use a tenant
and product
instead since this doesn't require you to store any additional data. When using this we recommend you use the CLIENT_SECRET_VERIFIER configuration and not use the default dummy
value. The client_secret
cannot really be misused because as you will see in the next section the tokens are short lived but it is a good idea to set the client_secret
to something that is really a secret.
For client-side logins we highly recommend you use the PKCE flow which is supported by Jackson. This ensures a secure login without revealing the client_secret
on the client-side.
Tokens
The tokens generated by Jackson are short lived (default is 5 minutes) and hence there is no risk of it being misused even if the client_secret
is known. Your SAML provider ensures that there can be no unauthorized.