5A/ Token Binding – Proof-of-Possession for cookies, ID Tokens JWt’s & OAuth Tokens
Token Binding – Proof-of-Possession for cookies, ID Tokens, JWTs & OAuth Tokens
Tuesday 5A
Convener: Brian Campbell
Notes-taker(s): Brian Campbell
Tags for the session - technology discussed/ideas considered: Token Binding, TLS, Proof-of-Possession, HoK, OpenID Connect, OAuth, cookies, HTTPS, etc.
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
The session was an introduction to Token Binding, which is a soon to be set of RFCs that enable long-lived bindings to client/browser generated asymmetric keys that span multiple TLS connections. Cookies and other security tokens can be cryptographically bound to such a client key via the TLS layer, preventing token export and replay attacks.
Some additional resources (draft specs at this time):
Token Binding:
https://tools.ietf.org/html/draft-ietf-tokbind-https
https://tools.ietf.org/html/draft-ietf-tokbind-protocol
https://tools.ietf.org/html/draft-ietf-tokbind-negotiation
Token Binding Application in OpenID Connect:
http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html
Token Binding Application in OAuth: