18.10.3.3.1. Token repository

The token repository allows to configure the persistency implementation to be used to retrieve and store the tokens. Currently, two implementations are available:

Limitations

  • The Airlock Gateway (WAF) "CSRF Tokens" feature does not support CSP nonces before Airlock WAF version 7.3. We recommend updating to Airlock WAF 7.3 or higher and enabling both the CSP features on IAM and the "CSRF Tokens" feature on the Gateway (WAF) mapping for IAM. If an update to Airlock WAF 7.3 is currently not possible, we recommend temporarily disabling the Gateway (WAF) "CSRF Tokens" feature and re-enabling it after the Airlock Gateway (WAF) update.
  • CSPs are enforced by the browser, and the browser support for CSP varies a lot. In particular, some browsers do not support the most recent CSP version, or have no CSP support at all, see [4]. In these cases, a CSP may have no effect at all. The CSP Evaluator [5] can be used to show what guarantees are provided by browsers supporting a given CSP version.

Credential-based generic token repository configuration

56460892.png

For backward compatibility to existing credentials stored in the credential model on the user, the "Credential Based Generic Token Repository Config" is provided. It offers a restricted set of attributes as described above.

The configuration allows to specify whether current and next credentials are supported and whether the next credential should be the new current, if the old current has been deleted.