Hi Hans,
Hi Denis,
thanks for correcting the thread topic:
On Tue, Mar 29, 2022 at 10:19 PM Denis <denis.i...@free.fr> wrote:
nothing stops Alice from logging in on Bob's device, obtaining
tokens for access and then leave Bob with the device, even in
long term user accounts
Even so, Alice will be unable to use that long term user account
that has been just opened the next time an access token will be
requested by the RS,
unless she asks again to Bob to use again Bob's device. In such a
case, she has better to live very close to Bob. :-)
so I conclude that the security considerations of the spec on subject
identifiers should stipulate that colluding clients must not live
close to each other then...
(or better, that the spec does not try to address this type of attack,
same for DPoP)
I see that you have a good sense of humour. :-)
The reality is that the mechanism protects the case when the users are
spread all over the world in different locations.
Now, I will never allow Alice to use my own device.
This has nothing to do with what DPoP can offer. So it is not the same
for DPoP.
Denis
Hans.
--
hans.zandb...@zmartzone.eu
ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
