To be clear: That draft does not define proof of possession. That draft defines embedding a key inside of a JWT such that the protected resource can unpack the key at the far end. It’s one of several options, as shown in the diagram. The rest of the PoP system is far from done and I would not tie any other recommendations to it. There is not a single implementation that I am aware of that goes end to end (yet). — Justin
On Nov 30, 2015, at 11:11 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA WG,
This draft for proof of possesion is getting pretty far along: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
Justin did this nice web sequence diagram: http://gluu.co/oauth-pop-websequence
My question is... do you think we should recommend proof of possesion tokens for the RPT?
- Mike
------------------------------------- Michael Schwartz Gluu Founder / CEO mike@gluu.org _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma