IBM Security Access Manager for Mobile extends OAuth 2.0 capabilities with a PIN policy.
The PIN policy provides the capability of protecting a refresh token with a PIN provided by the API protection client. An administrator can configure the API protection definition to enable the PIN policy for the grant types that issue a refresh token. The two grant types that issue a refresh token are Authorization code and the Resource owner password credentials.
When enabled, the client is required to send a PIN as a parameter in the first access token request. The parameter name is pin. The parameter value consists of digits of the length that is configured in the API protection definition. The client must submit the same PIN on subsequent requests when exchanging a refresh token for a new access token.
The PIN policy can be configured to use various hash algorithms to hash and store the PIN. Use the runtime.hashAlgorithm configuration parameter to specify the hash algorithm. For more information about configuring the hash algorithm, see Runtime properties in Advanced configuration properties