There are benefits to this approach in enabling a number of use cases. Justin, for what it is worth we designed and delivered systems to do access control that used signed tokens in the possession of clients that were able to access protected resources some years ago that map to most of the flows you show. We used PKI but JWTs are providing pretty much the same crypto capabilities. The difference is that we allowed the signed key and the relationship they established between the protected resource and the authorization server to be long lived (e.g. not one time) and to cover more than a single resource (we actually established claims based on what you might consider a class or role, it does required the protected resource to have some understanding of this claim). By doing do we eliminated the need for the client authorization and introspection in times 2-(end of token life) in the cases where the protected resources was accessed on multiple occasions by a client. Regards, Sal -----Original Message----- From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Justin Richer Sent: Monday, November 30, 2015 11:31 PM To: Michael Schwartz Cc: wg-uma@kantarainitiative.org UMA Subject: Re: [WG-UMA] Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) To be clear: That draft does not define proof of possession. That draft defines embedding a key inside of a JWT such that the protected resource can unpack the key at the far end. It’s one of several options, as shown in the diagram. The rest of the PoP system is far from done and I would not tie any other recommendations to it. There is not a single implementation that I am aware of that goes end to end (yet). — Justin
On Nov 30, 2015, at 11:11 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA WG,
This draft for proof of possesion is getting pretty far along: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
Justin did this nice web sequence diagram: http://gluu.co/oauth-pop-websequence
My question is... do you think we should recommend proof of possesion tokens for the RPT?
- Mike
------------------------------------- Michael Schwartz Gluu Founder / CEO mike@gluu.org _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma