FYI, this is exactly what we are doing in [1] to manage Verifiable Credentials
using OAuth2.0. The AS issues a verifiable credential that stays (for long
time) in the client. The client uses DPoP to prove ownership of the credential.
We just started a new project funded by essif [2] that will fu
Yeah, Daniel,
I remember we spoke about it. I do think my version is slightly different
as there is no access_token issued by the server.
Regards,
Sascha
On Wed, 29 Sept 2021 at 08:42, Daniel Fett wrote:
> That very much sounds like a static string as the access token plus DPoP.
>
> -Daniel
>
That very much sounds like a static string as the access token plus DPoP.
-Daniel
Am 29.09.21 um 03:54 schrieb toshio9@toshiba.co.jp:
> Hi OAuth folks,
>
> I have a question. Is there (or was there) any standardizing effort for
> "self-issued access tokens"?
>
> Self-issued access tokens are
Vittorio,
I wrote an approach where a client would receive a grant by the
authorization server but issues the token itself. The post can be found
here:
https://oauth.blog/oauthblog.jsp (fancy name: Serverless Token Issuance) I
presented the idea at IIW right before I wrote the post.
I believe tha
