I might suggest that neither of those are really best current practice per se. Using key constrained tokens is more of an aspirational recommendation for what would be good security practice than it is something that's done much for real in practice today.
On Sat, Nov 17, 2018, 4:07 AM Torsten Lodderstedt <tors...@lodderstedt.net wrote: > > > Am 15.11.2018 um 23:01 schrieb Brock Allen <brockal...@gmail.com>: > > > > So you mean at the resource server ensuring the token was really issued > to the client? Isn't that an inherent limitation of all bearer tokens > (modulo HTTP token binding, which is still some time off)? > > Sure. That’s why the Security BCP recommends use of TLS-based methods for > sender constraining access tokens ( > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-09#section-2...2). > Token Binding for OAuth ( > https://tools.ietf.org/html/draft-ietf-oauth-token-binding-08) as well as > Mutual TLS for OAuth (https://tools.ietf.org/html/draft-ietf-oauth-mtls-12) > are the options available. > > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
