>>> wouldn't it make sense for the authorization server to also challenge the client for >>> additional input to increase its confidence in the client and its behavior, similar to >>> MFA or step-up authentication for users?
Here is some feedback based on the takeaways from the IOH livestream today on this topic, see https://gluu.co/ioh-204 for the links. ⚡ While it's true that token exchange by itself doesn't provide a way for the AS to tell the client what extra evidence is required, and your approach could be used for any OAuth grant type, this is not the only way to solve the requirement. 1) The extra required evidence could be defined in a new flow--e.g. UMA used permission tickets; AAuth has a similar resource-first flow to obtain an artifact with these hints. Furthermore, a modern PDP which supports partial evaluation could provide some hints to the client. ⚡ Making the OAuth token endpoint stateful would make an already complex endpoint even more complex. We normally don't worry about AS implementers... but this is one of the OG endpoints that's been really overloaded in the last 15 years or so. ⚡ That state would need to be persisted across geographic clusters. Obviously this can be done (we have many stateful requirements), but it incurs a real cost. Is the cost of your solution the best solution to the problem? ⚡ Vendors overloaded the ROPW grant with state in the past with bad results. So if making one grant type stateful wasn't a great idea, should we make them all stateful? - Mike Schwartz -------------------------------------- Michael Schwartz Gluu Founder/CEO [email protected] https://www.linkedin.com/in/nynymike -- *CONFIDENTIALITY NOTICE* This message may contain confidential or legally privileged information. If you are not the intended recipient, please immediately advise the sender by reply e-mail that you received this message, and delete this e-mail from your system. Thank you for your cooperation
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
