On 4/14/20 10:23 AM, Denis wrote:
Unfortunately, this is not possible since RFC 7519 (4.1.2) states:
The subject value MUST either be scoped to be *locally unique
in the context of the issuer or be globally unique*.
Regarding this phrase from RFC 7519, I don't agree that it prevents the
solution Vittorio suggested. While for any token issued the 'sub' claim
must be unique (local to the issuer or globally); that doesn't mean it
can't be different with every issued token. This would require the
client to request a new token before every API invocation but it would
suffice to protect against the suggested privacy correlation issues.
Note that inter-API correlation prevention is VERY difficult and really
requires a unique token for every API call as the token itself can be a
correlation handle (e.g. hash the token and it becomes the correlation
identifier if the token is being reused for multiple API calls).
Thanks,
George
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
