OAuth Clients Create Token
OAuth Clients Create Token
Tuesday 5F
Convener: Sascha Preibisch, Ping Identity
Notes-taker(s): Sascha Preibisch
Tags for the session - technology discussed/ideas considered:
oauth, jwt, jwks, opened connect, authorization, grant
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
We discussed my idea of oauth clients that mint oauth token based on a grant that was received by an authorization server earlier. This divides a grant from the artifact that enables access to a resource. A stolen grant is useless to other clients, token are minted just in time which makes them hard to leak or be stolen.
It turns out that there are good use cases for that. It also turns out my idea is very close to the current work of the dpop draft (demonstration of proof-of-possession). One of the authors of that draft, who joined my session, and I will see if we can join the two efforts.
Links:
dpop: https://tools.ietf.org/html/draft-fett-oauth-dpop-01
blog post: https://communities.ca.com/blogs/oauth/2018/11/06/oauth-20-serverless-token-issuance
The screenshot of the whiteboard (5_F.jpg) displays parts of our discussion