Hi Hannes,

From: Ace <ace-boun...@ietf.org<mailto:ace-boun...@ietf.org>> on behalf of 
Hannes Tschofenig <hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>>
Date: Thursday 1 February 2018 at 13:59
To: "ace@ietf.org<mailto:ace@ietf.org>" <ace@ietf.org<mailto:ace@ietf.org>>
Subject: [Ace] Removal of the Client Token from ACE-OAuth draft

Hi all,

the Client Token is a new mechanism in the ACE-OAuth that aims to solve a 
scenario where the Client does not have connectivity to the Authorization 
Server to obtain an access token while the Resource Server does.

The solution is therefore for the Client to use the Resource Server to relay 
messages to the Authorization Server.

While this sounds nice it does not follow the OAuth model and we, at ARM, have 
not seen anyone requesting this feature. It is also not fully specified in the 
spec: since I have been doing a formal analysis of this protocol variant for 
the OAuth Security Workshop I had to notice that it is not secure. (I will post 
the paper to the list asap.)

Have you posted this? I couldn’t find it my Inbox.

Ace mailing list

Reply via email to