Risks associated with a compromised external Security token server
Consider the following architecture: An on premise Web API 2 [Written in C# hosted in IIS] which uses OAuth 2 authentication [ Implicit Flow ] to secure itself. This API acts as the data source by external apps [ Currently an angular 9 APP ]. Token service itself is an installation of Identity Server which is responsible for issuing access tokens to the external apps. Now the question:
What would be the maximum risk associated with a compromised STS server [ The server which issues tokens ] apart from the API app not not being able to authenticate clients? I have been tasked to list all potential risks associated with an external STS [ Security Token Service ] in case of a security breach and cant categorically list them according to their severity.
