> Am 17.11.2019 um 04:06 schrieb David Waite <da...@alkaline-solutions.com>: > > You’ll be audience-scoping either way, so it may make sense to use a > symmetric algorithm for both. It starts to look like kerberos in HTTP and > JSON when you squint.
Even if audience restriction is a recommended practice, I‘m not fully sure this is a broadly established practice. As you pointed out, symmetrical keys require RS-specific access tokens, i.e. the client needs to tell the AS what RS it is going to use the token at. Using resource indicators or rar? This reminds me the simplicity of the approach based on asymmetric crypto re programming model and key management.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
