Yes FAL3 would be about binding the idToken not the access token so different from what Mike proposed for implicit.
On Fri, Jul 16, 2021, 2:18 PM Justin Richer <jric...@mit.edu> wrote: > Binding the access token is not required for FAL3. FAL has nothing to say > about access tokens: > > https://pages.nist.gov/800-63-FAQ/#q-c8 > > FAL3 is about presenting proof of a key representing the user alongside an > assertion representing the user. In OIDC this would mean something like the > ID token having a key identifier inside of it and the RP prompting the user > for the key. This has nothing to do with access tokens, or even calling an > identity API like a UserInfo Endpoint. DPoP doesn’t help with any of that > since DPoP is about access tokens. > > — Justin > > On Jul 16, 2021, at 1:18 PM, John Bradley <ve7...@ve7jtb.com> wrote: > > Binding the token would be required for OAuth or Connect to meet the > SP800-63 FAL3 requirements. > > Something like DPoP might work. I don't think DPoP itself should directly > add support. > > I don't know if people really care about FAL3, unfourtunatly the simple > solution of using token-binding seems quite dead in browsers. > > John B. > > > > > > On Fri, Jul 16, 2021, 12:29 PM Justin Richer <jric...@mit.edu> wrote: > >> I personally hope we don’t. JAR already gives us signed requests at the >> authorization endpoint, though the last piece would be binding the token. >> >> — Justin >> >> > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin <dmitryt= >> 40backbase....@dmarc.ietf.org> wrote: >> > >> > Hi, >> > >> > The DPoP spec currently defines how to obtain a DPoP-bound token via >> token endpoint invocations (namely, authorization_code and refresh_token >> grants). But it is also possible to obtain access token prior to >> code-to-token exchange, via OAuth implicit/hybrid flows. >> > >> > Do we have any plans to support DPoP in authorization endpoint (in >> addition to token endpoint) and implicit/hybrid flows? Is yes, what it >> might look like? a "dpop" request parameter or a "DPoP" header? >> > >> > Regards, >> > Dmitry >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
