Question: Prevent a token generated on System A to be used on System B
IAmWebSA opened this issue · 1 comments
IAmWebSA commented
Hello,
I wanted to know or even better see an example how to prevent a token generated on System A to be used on System B, if they use the same secret key.
What would be the best secure solution?
- Reject the token if it comes from another "issuer" system
- Create a dynamic Secret for each system and therefore the token would fail to be decoded.
From my feeling Solution 2 would be the more robust and secure one.
Do you agree or any other thoughts?
Many Thanks in advance
tuupola commented
I would use different secret for each system ie solution 2 .