[Openid-specs-fapi] Issue #96: Uncertainty around the resource server's handling of the access token (openid/fapi)
issues-reply at bitbucket.org
Wed May 10 15:35:45 UTC 2017
New issue 96: Uncertainty around the resource server's handling of the access token
8.3 Uncertainty around the resource server's handling of the access token
There is no way that the client can find out whether the resource access was granted for the Bearer token or holder of key token.
The two differs in the risk profile and the client may want to differentiate them.
To support it, the resource shall not accept a Bearer token if it is supporting MTLS token with Bearer authorization header.
I think the wording needs to be made clearer. Are we saying that the resource server must not accept plain bearer tokens, and must only accept tokens bound to the TLS session (either via OAUTB or MTLS)?
More information about the Openid-specs-fapi