From: Ace <ace-boun...@ietf.org<mailto:ace-boun...@ietf.org>> on behalf of
Hannes Tschofenig <hannes.tschofe...@arm.com<mailto:hannes.tschofe...@arm.com>>
Date: Thursday 1 February 2018 at 13:59
To: "email@example.com<mailto:firstname.lastname@example.org>" <email@example.com<mailto:firstname.lastname@example.org>>
Subject: [Ace] Removal of the Client Token from ACE-OAuth draft
the Client Token is a new mechanism in the ACE-OAuth that aims to solve a
scenario where the Client does not have connectivity to the Authorization
Server to obtain an access token while the Resource Server does.
The solution is therefore for the Client to use the Resource Server to relay
messages to the Authorization Server.
While this sounds nice it does not follow the OAuth model and we, at ARM, have
not seen anyone requesting this feature. It is also not fully specified in the
spec: since I have been doing a formal analysis of this protocol variant for
the OAuth Security Workshop I had to notice that it is not secure. (I will post
the paper to the list asap.)
Have you posted this? I couldn’t find it my Inbox.
Ace mailing list