[Openid-specs-ab] Idea: client issue token themselves

Tom Jones thomasclinganjones at gmail.com
Mon Nov 5 18:44:41 UTC 2018


There seems to be a fundamental problem with even calling this an
"authorization server". Authorization happens only at the resource server
itself. The best the "AS" can do is issue a set of claims (some
masquerading as scopes) - some of which it might also verify. The challenge
with the jwt is that the validity of the entire jwt is what is asserted.
What is needed by the resource server is the validity statement for each
claim.  Including the claim that the client is trustworthy and (in openid)
that the level of authentication and/or proof-of-presence and/or consent of
the user was validated (or not).  Combining these various ideas might seem
like a good idea, but if the resource server has different criteria for
different claims, it might not be sufficient.
Peace ..tom


On Fri, Nov 2, 2018 at 9:53 AM Preibisch, Sascha H via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Hi all!
>
>
>
> I would like to share the idea of oauth clients that issue token
> themselves with you.
>
>
>
> I wrote a blog post about it here:
>
>
> https://communities.ca.com/blogs/oauth/2018/11/01/oauth-20-serverless-token-issuance
>
>
>
> Thanks for any feedback,
>
> Sascha
>
>
>
> P.S.: today is the last day of CA, as of Monday its Broadcom. I am not
> sure if my blog post is available afterwards at that location!
>
>
>
> Sascha Preibisch
>
> Principal Software Architect
>
> CA Technologies
>
>
>
> CA Mobile API Gateway
>
> CA API Management OAuth Toolkit
>
>
>
> Email: sascha.preibisch at ca.com
>
> Blog: https://communities.ca.com/blogs/oauth
>
>
>
> *My book*: *API Development - A Practical Guide for Business
> Implementation Success <https://www.apress.com/de/book/9781484241394>*
>
>
>
> *Latest blog post: Azure AD integration
> <https://communities.ca.com/blogs/oauth/2018/09/12/azure-ad-integration>*
>
>
>
> *Previous blog post: OTK + IFTTT tutorial
> <https://communities.ca.com/blogs/oauth/2018/06/25/oauth-toolkit-otk-and-ifttt-tutorial>*
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20181105/fa674829/attachment.html>


More information about the Openid-specs-ab mailing list