We have a need for public clients to perform token exchanges. Anybody have any recommended policies for this? I'm worried about untrusted services obtaining a bearer token that they can exchange for upgraded permissions. The Auth Server has to put a lot of trust in the public client to do the right thing.
What should be the initial access token the public client gets? 1) One approach is that it receives an access token devoid of privileges. This forces the public client to request an exchange before invoking on anything. Then what should be the validation policy with teh Auth Server? Do not allow upgrading of token unless the token being exchanged has zero scopes/audiences? 2) Another approach is that the initial access token has all privilges the public client needs and the public client downgrades the token before performing invocations. The auth server only needs to check that the client is asking for a downgrade. 3) The last approach we are considering is a combination of #1 and to only allow public clients to exchange a refresh token. Being in possession of a refresh token means that the public client has been involved with a code to token flow, or a password credentials grant. For code to token, this means the public client had a valid redirect uri. For password credentials grant, the client was trusted enough to obtain user credentials. -- Bill Burke Red Hat _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
