Affects Version/s: Not Applicable
Fix Version/s: None
Component/s: OAuth 2.0
As standard OAuth2 tokens are bearer tokens and thus subject to misuse, OAuth2 tokens shall be protected from token hijacking using industry standard approaches.
A published standard for Proof of Possession for JWTs is https://tools.ietf.org/html/rfc7800
The draft standard for solving this in the OAuth2 world is https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ (at the time of writing).
See AME-11905 for OpenAM as the issuer of tokens. IG shall provide the resource server portion.
- With OpenAM as issuer for OAuth2 tokens with PoP
- PoP is optional depending on whether the client presents a public key or not when requesting an access token.
- IG as resource server validating tokens and PoP material
- Both Stateful and Stateless OAuth2 tokens are supported.