Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments

Sun, 07 Jun 2020 05:27:12 -0700 

Answers inline: 

> On 7 Jun 2020, at 13:07, Nov Matake <mat...@gmail.com> wrote:
> 
> So, you mean…
> 
> If a frontend client want to use
> * sender-constrained code, bearer access token and sender-constrained refresh 
> token, use DynReg.

I’m not really sure what a sender-constrained code would be, but I suspect the 
right answer here is PKCE + DPoP. PKCE basically is PoP for auth codes. 

> * sender-constrained code, sender-constrained access token and 
> sender-constrained refresh token, use DynReg + DPoP.

PKCE + DPoP

> * bearer code, sender-constrained access token and sender-constrained refresh 
> token, use DPoP only.

Sure, but you should always use PKCE, so PKCE + DPoP. 

> * bearer code, bearer access token and bearer refresh token, use neither.
> 
> is my understanding correct??

Just use PKCE + DPoP. (Or a different PoP mechanism, eg mTLS cert-bound tokens, 
or etc). 

> 
>> 2020/06/07 20:49、Neil Madden <neil.mad...@forgerock.com>のメール:
>> 
>> There are multiple issues with using dynamic client registration for this.. 
>> If a user uninstalls and later reinstalls an app then they can end up with 
>> multiple registrations for the same client, which makes it harder for them 
>> to manage access. Additionally, client registrations typically don’t expire 
>> so the AS doesn’t know when it can remove unused clients.
>> 
>> Besides, this ship already sailed with mTLS cert-bound refresh tokens. 
>> 
>> Neil
>> 
>>>> On 7 Jun 2020, at 12:34, Nov Matake <mat...@gmail.com> wrote:
>>>> 
>>> Confidential clients can also use DPoP.
>>> 
>>>> 2020/06/07 20:25、Torsten Lodderstedt <tors...@lodderstedt.net>のメール:
>>>> 
>>>> If the client would register for every transaction.
>>>> 
>>>> And don’t forget, DPoP also supports sender constrained access to resource 
>>>> servers, which dyn registration does not.
>>>> 
>>>>>> Am 07.06.2020 um 13:04 schrieb Nov Matake <mat...@gmail.com>:
>>>>>> 
>>>>> Since each client instance has at least one key, those are same level of 
>>>>> state management.
>>>>> 
>>>>>> 2020/06/07 16:24、Torsten Lodderstedt <tors...@lodderstedt.net>のメール:
>>>>>> 
>>>>>> There are similarities in this particular use case but I would argue 
>>>>>> DPoP is more light weight than dynamic client registration, less state 
>>>>>> management in particular.
>>>>>> 
>>>>>>>> Am 07.06.2020 um 05:41 schrieb Nov Matake <mat...@gmail.com>:
>>>>>>>> 
>>>>>>> DPoP-bound refresh token seems feature duplication with dynamic client 
>>>>>>> registration.
>>>>>>> 
>>>>>>>> 2020/06/07 7:57、Francis Pouatcha <fpo=40adorsys...@dmarc.ietf.org>のメール:
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> > Am 05.06.2020 um 22:17 schrieb George Fletcher 
>>>>>>>>> > <gffletch=40aol.....@dmarc..ietf.org>:
>>>>>>>>> > 
>>>>>>>>> > Secondly, I do think we need a way to allow for the refresh_token 
>>>>>>>>> > to be bound while leaving the access_tokens as bearer tokens. This 
>>>>>>>>> > adds useful security without impacting existing RS deployments.
>>>>>>>>> 
>>>>>>>>> +1 that’s a very useful 
>>>>>>>>> feature_______________________________________________
>>>>>>>> AFAIK a refresh_token is always bound. What am I missing here?
>>>>>>>> -- 
>>>>>>>> Francis Pouatcha
>>>>>>>> Co-Founder and Technical Lead at adorys
>>>>>>>> https://adorsys-platform.de/solutions/
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to