What exactly is the attack that you're trying to prevent?
If the clients share the access tokens, they might as well share access to the resource server (forwarding requests and responses). You can't really prevent that.
DPoP or MTLS, potentially with non-exportable keys, might be a better approach, but it depends on the attack you have in mind.
-Daniel Am 02.03.22 um 16:58 schrieb Nikos Fotiou:
Hi all, I am working on a use case where the Authorization Server and the Resource Server are the same entity. I would like to prevent clients from sharing their access tokens. I am wondering if requiring clients to include the "client secret" in the resource access request (in addition to the access token) is a valid strategy. This way clients would have to share their "client secret" in addition to the access token. Would that work? Best, Nikos -- Nikos Fotiou -http://pages.cs.aueb.gr/~fotiou Researcher - Mobile Multimedia Laboratory Athens University of Economics and Business https://mm.aueb.gr _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
-- https://danielfett.de
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
