Dear all,
We are currently modeling part 1 and part 2 of the OpenID Financial API
in the FKS Web Model and have a few questions regarding the OAuth 2.0
Token Binding.
In section 3.1. of draft-ietf-oauth-token-binding-06, it is not very
clear how an Access Token issued from the Authorization Endpoint is
Token Bound. Is this intended to be the same as an AC issued for a web
server client? It seems that the user-agent sends both the Provided and
Referred Token Bindings to the AS, which means that the AS can bind the
Access Token to the Referred Token Binding, which is the Token Binding
between the user-agent and the client.
However, the Access Token is not used by the user-agent, which means
that the client can only send the Token Binding ID used by the
user-agent (which essentially is the public key) to the Resource Server.
Is this the intended flow of the Token Binding? Because the first
paragraph of 3.1 says that the "Token Binding ID of the client's TLS
channel to the protected resource is sent with the authorization request
as the Referred Token Binding ID", but we assume that the user-agent
reveals the TB-ID of its own channel to the client.
Best regards,
Pedram Hosseyni
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
