Thanks for your feedback, Mike! I have two questions below: Am 20.11.19 um 04:40 schrieb Mike Jones: > > I did a complete read of draft-ietf-oauth-security-topics-13 > <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13>. My > review comments follow, divided into substantive and editorial sections. > > > > SUBSTANTIVE > > > > 3.1.2. Implicit Grant – The statement “no viable mechanism exists to > cryptographically bind access tokens issued in the authorization > response to a certain client” isn’t actually true. Please describe > how the OpenID Connect ID Token achieves this for the “id_token token” > and “code id_token token” response types via the “at_hash” claim in > this paragraph, and appropriately qualify the unconditional statement > cited.
How does the at_hash in the ID token bind the token to the client? I do see that the client would not accept a token issued for another client. What is discussed here, however, is that a malicious resource server could use the token at another resource server. This is not prevented, or is it? > 4.8.1.3. Audience Restricted Access Tokens, next to last paragraph – > When you list MTLS, also please state that the MTLS key can be used as > a correlation handle, since it is the same for connections to all sites. > Wouldn't it be up to the client to use or not use the same key for multiple sites? Also, what would be the impact of correlation here?
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
