Typically when an access token is issued via the implicit grant directly from the authorization endpoint, it is for a client that is running as script in the user-agent. The AS binds the access token to the referred token binding, which would be the token binding between the user-agent (where the client is) and the protected resource.
It does mean that a hybrid style client couldn't pass the access token from its script front-end in the user-agent to its server backed (well, it could pass it but the server side couldn't use it because of the binding). On Mon, May 14, 2018 at 6:46 AM, <pedra...@gmx.de> wrote: > Dear all, > > We are currently modeling part 1 and part 2 of the OpenID Financial API in > the FKS Web Model and have a few questions regarding the OAuth 2.0 Token > Binding. > > In section 3.1. of draft-ietf-oauth-token-binding-06, it is not very > clear how an Access Token issued from the Authorization Endpoint is Token > Bound. Is this intended to be the same as an AC issued for a web server > client? It seems that the user-agent sends both the Provided and Referred > Token Bindings to the AS, which means that the AS can bind the Access Token > to the Referred Token Binding, which is the Token Binding between the > user-agent and the client. > However, the Access Token is not used by the user-agent, which means that > the client can only send the Token Binding ID used by the user-agent (which > essentially is the public key) to the Resource Server. > > Is this the intended flow of the Token Binding? Because the first > paragraph of 3.1 says that the "Token Binding ID of the client's TLS > channel to the protected resource is sent with the authorization request as > the Referred Token Binding ID", but we assume that the user-agent reveals > the TB-ID of its own channel to the client. > > Best regards, > Pedram Hosseyni > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
