We already have the assertion profiles for SAML and JWT where you can use a asymmetrically signed token to authenticate the client to the token endpoint for code or refresh.
openID Connect supports that by allowing the client to register a public key as part of getting the clientID. In principal you could put the public key in a structured refresh token though I don't know that there is a real advantage to that. We haven't talked about doing channel binding of a key to the token endpoint yet. That is a possible extension.for the assertion profile or some other. John B. On 2012-09-07, at 7:56 PM, Lewis Adam-CAL022 <[email protected]> wrote: > Hi, > > What are the plans for the OAuth HOTK draft with respect to refresh tokens? > Section 4.3 says that a new public key can be bound to a new access token > using a refresh token grant, but it would be nice if the refresh token could > also use the public key such that when using the refresh token as a grant > type to get a new access token, the AS could receive the same security > robustness with the RT as the RS does with the AT. > > John, I think you mentioned something along these lines at CIS, but it was > late at night and my memory is foggy. > > Either way, the current draft does not discuss. Is this something that will > be included in future versions? > > > -adam > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
