Difference between revisions of "Bearer Token"
From MgmtWiki
(→Context) |
(→Problem) |
||
Line 6: | Line 6: | ||
==Problem== | ==Problem== | ||
− | + | ||
− | |||
*Token reuse: [[OAuth 2.0]] or [[OpenID Connect]] use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. If this feature gets dropped from Chrome, this enterprise use case doesn't go away and only Microsoft Browsers support the feature. | *Token reuse: [[OAuth 2.0]] or [[OpenID Connect]] use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. If this feature gets dropped from Chrome, this enterprise use case doesn't go away and only Microsoft Browsers support the feature. | ||
Revision as of 10:04, 23 August 2018
Full Title or Meme
A data structure that passes Authorization grants to a Resource server.
Context
RFC 6750 "The OAuth 2.0 Authorization Framework: Bearer Token Usage" defines the Bearer Token.
Problem
- Token reuse: OAuth 2.0 or OpenID Connect use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. If this feature gets dropped from Chrome, this enterprise use case doesn't go away and only Microsoft Browsers support the feature.
Solution
- Microsoft introduced EAP
- Protection from the secure channel endpoint to a front end server