A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.
Title : The OAuth 2.0 Authorization Framework: JWT Secured
Authorization Request (JAR)
Authors : Nat
Hi Torsten,
Thanks for your insight. I agree, a sender constraint token, such as
when using certificate bound tokens from RFC 8705, cannot be used by
an attacker. It makes sense to only allow the owner to revoke them,
probably using the same mechanism as by which they are bound to the
client. For
As promised in the last interim meeting, I’ve reviewed the current (03)
draft-ietf-oauth-par document. Overall it looks close to ready to me, with
mostly minor comments and one security-relevant comment on section 2.1 that
should be discussed further, and one additional proposed security
Hi Emond,
I tend to agree with your assessment. Revoking bearer tokens without client
authentication seems to be better than leaving the attacker the option to use
them to invoke resources.
However, if the attacker cannot use the access tokens (e.g. because they are
sender constrained), the
Hi all,
We are currently implementing the token revocation endpoint (RFC 7009)
on our authorization server and do not understand why it requires
client authentication. When a party (a valid client or not) gets hold
of a valid access token in whatever way, the least damaging it could
do with it,
