[Openid-specs-mobile-profile] Issue #173: push token delivery + sender constrained/proof of possession (openid/mobile)

josephheenan issues-reply at bitbucket.org
Thu Mar 5 09:47:29 UTC 2020

New issue 173: push token delivery + sender constrained/proof of possession

Joseph Heenan:

As far as I can see there’s no mechanism documented to use MTLS certificate bound access tokens with the push token delivery mode, meaning you can’t use push if you’re following the oauth security BCP. \(Similarly I don’t think there’s any documented way for DPoP or any other similar mechanism to work.\)

This may at least be worth mentioning under security considerations? 

It seems like it would be possible to support it - it would require the relevant info to be presented at the backchannel authentication endpoint when initiating the request, though particularly for long lived requests presenting the constraining info that early could cause issues if the RP wishes to rotate keys.

More information about the Openid-specs-mobile-profile mailing list