Hi Adam,
when the HOTK draft was submitted as an individual contribution the group
started a debate about the requirements for an enhanced security solution. This
had let of a high level presentation at the last IETF meeting. Phil volunteered
to produce a document that captures the threats and
We already have the assertion profiles for SAML and JWT where you can use a
asymmetrically signed token to authenticate the client to the token endpoint
for code or refresh.
openID Connect supports that by allowing the client to register a public key as
part of getting the clientID.
In prin
Hi,
What are the plans for the OAuth HOTK draft with respect to refresh tokens?
Section 4.3 says that a new public key can be bound to a new access token using
a refresh token grant, but it would be nice if the refresh token could also use
the public key such that when using the refresh token
