Could you share a bit about the security implications that precipitates needing to change the token type. I.e. what's the attack vector that is closed by adding this?
Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. On Thu, Dec 9, 2021 at 2:24 PM Dmitry Telegin <dmitryt= 40backbase....@dmarc.ietf.org> wrote: > There following changes to RFC 8705 have been proposed: > - introduce a new error code (e.g. "invalid_mtls_certificate") to be used > when the certificate is required by the AS/RS, but the underlying stack has > been misconfigured and the client didn't send one; > - for bound token use, change Authorization scheme from Bearer to MTLS; > - for token response returning a bound token, change token_type from > Bearer to MTLS > > See discussion: > https://mailarchive.ietf.org/arch/msg/oauth/XfeH2q0Rwa2YocsR484xk-8LMqc/ > > Accepting the changes would imply a new RFC and the obsolescence of the > current one. Two questions so far: > - what's the group's general stance on this, would that be a welcome > change? > - if so, could we also hear from the implementors if there any other > issues / suggested changes. > > Dmitry > Backbase / Keycloak > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
