[Openid-specs-risc] Dependence on RFC6750 conflicts with other OIDF groups

[Phil Hunt]

The dependence on RFC6750 (OAuth bearer tokens) is a concern because it limits security agility.

I have stated, my preference is for any HTTP security mechanism to be permissible because implicit federation entities are not always using OAuth based infrastructure - yet many do have sophisticated IDM and security systems. 

That concern aside, there are other OIDF working groups (FAPI and iGov) that are mandating the use of bound or proof-of-possesion tokens. These groups would be unable to use RISC’s proposed bearer token security model as they only accept token binding and mutual tls bound tokens.

As a compromise, I suggest the dependence be made on RFC7519 (JWT tokens) instead of RFC6750.  It would be reasonable to suggest, in a non-normative way the use of OAuth Bearer tokens as an example solution for RISC.

Phil

Oracle Corporation, Identity Cloud Services Architect
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20180406/303a93dd/attachment.html>