Difference between revisions of "Token Binding"
From MgmtWiki
(→Context) |
(→Problem) |
||
| Line 7: | Line 7: | ||
==Problem== | ==Problem== | ||
| − | + | *Attempts to make a trusted connection from a user to [[Web Site]] have included [[EV Certs]] and other attempt to over come the failings inherent in trusting any connection based on the [[URL]]. | |
*Token reuse: [[OAuth 2.0]] or [[OpenID Connect]] use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. The feature has been dropped by the Google Chrome browser as inadequate to solve the problem. So a different solution is required. | *Token reuse: [[OAuth 2.0]] or [[OpenID Connect]] use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. The feature has been dropped by the Google Chrome browser as inadequate to solve the problem. So a different solution is required. | ||
Revision as of 14:52, 13 November 2018
Full Title or Meme
The process of binding an OpenID Connect or OAuth 2.0 interchange to a HTTPS channel that has been established between a user agent and a Web Site.
Context
- Secure web connections based on HTTPS for security.
- See the page on Channel Binding about RFC 5056 for details on the context.
Problem
- Attempts to make a trusted connection from a user to Web Site have included EV Certs and other attempt to over come the failings inherent in trusting any connection based on the URL.
- Token reuse: OAuth 2.0 or OpenID Connect use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. The feature has been dropped by the Google Chrome browser as inadequate to solve the problem. So a different solution is required.
Solution
Look to other solutions like Bound Tokens.
