Re: [OAUTH-WG] proof of access token possession using client secret

Wed, 02 Mar 2022 08:45:04 -0800

You could require client authentication via the allowed OAuth mechanisms on all resource requests. I think there is some danger in sending the client_secret across the wire on all requests even if the endpoints are all part of the same service. I'd recommend looking at DPoP [1]. 

Thanks,
George

[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-06

On 3/2/22 11:22 AM, Jim Manico wrote:
> I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy.
Sender-constrained access tokens are suggested in the current security best practice guide here. https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.2 

So yes!

- Jim Manico

On 3/2/22 8:18 AM, Warren Parad wrote:
Is there a reason you wouldn't want to use the access token to access these resources? That seems like it would be the optimal strategy. 

        

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. 


On Wed, Mar 2, 2022 at 4:58 PM Nikos Fotiou <fot...@aueb.gr> wrote:

    Hi all,

    I am working on a use case where the Authorization Server and the
    Resource Server are the same entity. I would like to prevent
    clients from sharing their access tokens. I am wondering if
    requiring clients to include the "client secret" in the resource
    access request (in addition to the access token) is a valid
    strategy. This way clients would have to share their "client
    secret" in addition to the access token. Would that work?

    Best,
    Nikos
    --
    Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
    Researcher - Mobile Multimedia Laboratory
    Athens University of Economics and Business
    https://mm.aueb.gr

    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org
    https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

--
Jim Manico
Manicode Security
https://www.manicode.com

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to