Nikos,
You wrote:
I would like to prevent clients from sharing their access tokens.
Proof of access token possession using client secret is unable to
prevent clients from sharing their access tokens.
When two clients agree to collaborate, one client can perform all the
cryptographic computations that the other client
needs (without the need to release the private key to the other client).
At the last OAuth security workshop, I have presented a solution.
Hereafter is an extract of the abstract;
Access tokens that contain a binding user-identifier (buid) field
provide a protection against collusions between two collaborative clients
that key-bound access tokens are unable to provide.
The use of a binding user-identifier (buid) field allows a client
to choose between different contexts and between different privacy
properties.
More details are present in
https://www.ietf.org/id/draft-pinkas-gnap-core-protocol-00.txt
Daniel,
You wrote:
If the clients share the access tokens, they might as well share
access to the resource server (forwarding requests and responses).
You can't really prevent that.
When you consider the existence of user accounts and in the context of
some practical cases, you can prevent that.
What exactly is the attack that you're trying to prevent?
If the clients share the access tokens, they might as well share
access to the resource server (forwarding requests and responses). You
can't really prevent that.
DPoP or MTLS, potentially with non-exportable keys, might be a better
approach, but it depends on the attack you have in mind.
-Daniel
Am 02.03.22 um 16:58 schrieb Nikos Fotiou:
Hi all,
I am working on a use case where the Authorization Server and the Resource Server are the same
entity. I would like to prevent clients from sharing their access tokens. I am wondering if
requiring clients to include the "client secret" in the resource access request (in
addition to the access token) is a valid strategy. This way clients would have to share their
"client secret" in addition to the access token. Would that work?
Best,
Nikos
--
Nikos Fotiou -http://pages.cs.aueb.gr/~fotiou
Researcher - Mobile Multimedia Laboratory
Athens University of Economics and Business
https://mm.aueb.gr
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
https://danielfett.de
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
