Murray Kucherawy has entered the following ballot position for
draft-ietf-oauth-iss-auth-resp-03: No Objection
When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)
Please re
>
> (e.g. one-time use in a certain timeframe etc).
Sure but couldn't we just reduce the lifetime? Even if the token isn't one
time use, surely the reuse time is trivially short which would prevent
against exfiltration of the necessary security tokens to issue the attack?
I feel like the simpler
Hi Aaron, Neil
Thanks for the questions.
We agree that ideally authorization codes and PKCE proofs would never end up in
log files and one-time use would be perfectly implemented.
However, in practice these artefacts do find their way into log files in
various places and one-time use may not a
+1 to what Neil and Aaron said.
dpop_jkt effectively creates a client authentication mechanism with an
ad-hoc identifier for the client.
I'm wondering if dynamic registration plus an asymmetric client
authentication scheme doesn't already solve the problem.
-Daniel
Am 01.12.21 um 01:05 schrieb
