OAuth Clients Create Token

From IIW

OAuth Clients Create Token


Tuesday 5F

Convener: Sascha Preibisch, Ping Identity

Notes-taker(s): Sascha Preibisch


Tags for the session - technology discussed/ideas considered:


oauth, jwt, jwks, opened connect, authorization, grant


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


We discussed my idea of oauth clients that mint oauth token based on a grant that was received by an authorization server earlier. This divides a grant from the artifact that enables access to a resource. A stolen grant is useless to other clients, token are minted just in time which makes them hard to leak or be stolen.


It turns out that there are good use cases for that. It also turns out my idea is very close to the current work of the dpop draft (demonstration of proof-of-possession). One of the authors of that draft, who joined my session, and I will see if we can join the two efforts.


Links:

dpop: https://tools.ietf.org/html/draft-fett-oauth-dpop-01

blog post: https://communities.ca.com/blogs/oauth/2018/11/06/oauth-20-serverless-token-issuance


The screenshot of the whiteboard (5_F.jpg) displays parts of our discussion


IIW28 TU 5F OAuth Clients Create Token.jpg