5A/ Token Binding – Proof-of-Possession for cookies, ID Tokens JWt’s & OAuth Tokens

From IIW

Token Binding – Proof-of-Possession for cookies, ID Tokens, JWTs & OAuth Tokens


Tuesday 5A

Convener: Brian Campbell

Notes-taker(s): Brian Campbell

Tags for the session - technology discussed/ideas considered: Token Binding, TLS, Proof-of-Possession, HoK, OpenID Connect, OAuth, cookies, HTTPS, etc.


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


The session was an introduction to Token Binding, which is a soon to be set of RFCs that enable long-lived bindings to client/browser generated asymmetric keys that span multiple TLS connections. Cookies and other security tokens can be cryptographically bound to such a client key via the TLS layer, preventing token export and replay attacks.


Some additional resources (draft specs at this time):


Token Binding:

https://tools.ietf.org/html/draft-ietf-tokbind-https

https://tools.ietf.org/html/draft-ietf-tokbind-protocol

https://tools.ietf.org/html/draft-ietf-tokbind-negotiation


Token Binding Application in OpenID Connect:

http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html


Token Binding Application in OAuth:

https://tools.ietf.org/html/draft-ietf-oauth-token-binding