>>> wouldn't it make sense for the authorization server to also challenge
the client for
>>> additional input to increase its confidence in the client and its
behavior, similar to
>>> MFA or step-up authentication for users?

Here is some feedback based on the takeaways from the IOH livestream today
on this topic, see https://gluu.co/ioh-204 for the links.

⚡ While it's true that token exchange by itself doesn't provide a way for
the AS to tell the client what extra evidence is required, and your
approach could be used for any OAuth grant type, this is not the only way
to solve the requirement. 1) The extra required evidence could be defined
in a new flow--e.g. UMA used permission tickets; AAuth has a similar
resource-first flow to obtain an artifact with these hints. Furthermore, a
modern PDP which supports partial evaluation could provide some hints to
the client.

⚡ Making the OAuth token endpoint stateful would make an already complex
endpoint even more complex. We normally don't worry about AS
implementers... but this is one of the OG endpoints that's been really
overloaded in the last 15 years or so.

⚡ That state would need to be persisted across geographic clusters.
Obviously this can be done (we have many stateful requirements), but it
incurs a real cost. Is the cost of your solution the best solution to the
problem?

⚡ Vendors overloaded the ROPW grant with state in the past with bad
results. So if making one grant type stateful wasn't a great idea, should
we make them all stateful?

- Mike Schwartz

--------------------------------------
Michael Schwartz
Gluu
Founder/CEO
[email protected]
https://www.linkedin.com/in/nynymike

-- 





*CONFIDENTIALITY NOTICE*

This message may contain confidential or 
legally privileged information.
If you are not the intended recipient, 
please immediately advise the sender by reply e-mail that you received this 
message, and delete this e-mail from your system.
Thank you for your 
cooperation
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to