I might suggest that neither of those are really best current practice per
se. Using key constrained tokens is more of an aspirational recommendation
for what would be good security practice than it is something that's done
much for real in practice today.
On Sat, Nov 17, 2018, 4:07 AM Torsten
Hi Tomek,
> Am 16.11.2018 um 13:59 schrieb Tomek Stojecki :
>
> >> The AS can bind the lifetime of the refresh tokens to the session
> >> lifetime, i.e. automatically revoke it on logout.
>
> > Yea, I saw your other email asking about refresh token revocation relating
> > to session
Hi Nat,
> Am 16.11.2018 um 10:12 schrieb n-sakimura :
>
> Good points.
>
>
>
> Also, while it may be off-topic, I do see values in implicit flows. In some
> cases, such as when the AS is inside the firewall or on a localhost (e.g.,
> smartphone), “code flow” is not possible as the client
Hi Brock,
> Am 15.11.2018 um 23:01 schrieb Brock Allen :
>
> > It still lacks the ability to issue sender constraint access tokens.
>
> So you mean at the resource server ensuring the token was really issued to
> the client? Isn't that an inherent limitation of all bearer tokens (modulo
>