Eve, to somewhat fortify this use case, we did exactly the same thing with some of our IoT work (that I spoke about at CIS), however, in our case, we never verify the JWT containing grants other than the signature, to deal with the offline scenarios some IoT systems may face. =peterd Peter Davis: Neustar, Inc. Distinguished Engineer, Director, Identity Architect 46000 Center Oak Plaza Sterling, VA 20166 [T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] https://www.neustar.biz/
On Jun 23, 2016, at 5:50 PM, Eve Maler <eve@xmlgrrl.com> wrote:
It looks like this is a client-to-AS-first flow, where the client gets a sort of incomplete token (that is, not yet bound to a particular resource of Alice's), and it leverages this token subsequently at the RS rather than getting a ticket and doing a subsequent dance with the AS. Is that right?...