[OpenID-Specs-eKYC-IDA] Issue #1231: sender constraining of attached document access token (openid/ekyc-ida)
Joseph Heenan
issues-reply at bitbucket.org
Wed Feb 17 15:27:25 UTC 2021
New issue 1231: sender constraining of attached document access token
https://bitbucket.org/openid/ekyc-ida/issues/1231/sender-constraining-of-attached-document
Joseph Heenan:
The text in [https://bitbucket.org/openid/ekyc-ida/pull-requests/50](https://bitbucket.org/openid/ekyc-ida/pull-requests/50) explicitly mentions bearer tokens when talking about access tokens.
We should at least make clear that when using the OP’s access token then sender constrained tokens \(MTLS, DPoP\) can be used.
When not using the OP’s access token \(i.e. an access token is provided for the particular resource\) it’s not clear if the token can be sender constrained.
An additional consideration is that the protocol doesn’t define a way to prevent the client from supplying an access token to the resource, potentially meaning an unnecessary access token is sent out and presents an unnecessary vector for the token to be leaked.
More information about the Openid-specs-ekyc-ida
mailing list