> I would like to prevent clients from sharing their access tokens. I
am wondering if requiring clients to include the "client secret" in the
resource access request (in addition to the access token) is a valid
strategy.
Sender-constrained access tokens are suggested in the current security
best practice guide here.
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.2
So yes!
- Jim Manico
On 3/2/22 8:18 AM, Warren Parad wrote:
Is there a reason you wouldn't want to use the access token to access
these resources? That seems like it would be the optimal strategy.
Warren Parad
Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.
On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou <fot...@aueb.gr> wrote:
Hi all,
I am working on a use case where the Authorization Server and the
Resource Server are the same entity. I would like to prevent
clients from sharing their access tokens. I am wondering if
requiring clients to include the "client secret" in the resource
access request (in addition to the access token) is a valid
strategy. This way clients would have to share their "client
secret" in addition to the access token. Would that work?
Best,
Nikos
--
Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
Jim Manico
Manicode Security
https://www.manicode.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
