Token Binding

From MgmtWiki
Revision as of 14:47, 13 November 2018 by Tom (talk | contribs) (Created page with "==Full Title or Meme== The process of binding an OpenID Connect or OAuth 2.0 interchange to a HTTPS channel that has been established between a user agent and a Web...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Full Title or Meme

The process of binding an OpenID Connect or OAuth 2.0 interchange to a HTTPS channel that has been established between a user agent and a Web Site.

Context

RFC 5056 "On the Use of Channel Bindings to Secure Channels" Abstract


Problem

  • Token reuse: OAuth 2.0 or OpenID Connect use of bearer tokens raises the risk of token theft. For years architects have been waiting for Token Binding to get ratified so there would be transparent mechanism to close this gap. If this feature gets dropped from Chrome, this enterprise use case doesn't go away and only Microsoft Browsers support the feature.

Solution

Look to other solutions like Bound Tokens.

Reference