Hi all, the Client Token is a new mechanism in the ACE-OAuth that aims to solve a scenario where the Client does not have connectivity to the Authorization Server to obtain an access token while the Resource Server does.
The solution is therefore for the Client to use the Resource Server to relay messages to the Authorization Server. While this sounds nice it does not follow the OAuth model and we, at ARM, have not seen anyone requesting this feature. It is also not fully specified in the spec: since I have been doing a formal analysis of this protocol variant for the OAuth Security Workshop I had to notice that it is not secure. (I will post the paper to the list asap.) Note that I am not saying that we should never do this work but I prefer that someone who really cares about this use case describes it in an independent document. In summary, I am again requesting that the Client Token functionality is removed from the ACE-OAuth draft. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace