Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-1350

Support JWK Confirmation Key Verifier

    XMLWordPrintable

    Details

    • Type: Story
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: Not Applicable
    • Fix Version/s: None
    • Component/s: OAuth 2.0
    • Labels:
      None

      Description

      Description

      As standard OAuth2 tokens are bearer tokens and thus subject to misuse, OAuth2 tokens shall be protected from token hijacking using industry standard approaches.

      A published standard for Proof of Possession for JWTs is https://tools.ietf.org/html/rfc7800
      The draft standard for solving this in the OAuth2 world is https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-architecture/ (at the time of writing).

      See AME-11905 for OpenAM as the issuer of tokens. IG shall provide the resource server portion.

      Business Value

      See AME-11905

      Acceptance Criteria

      • With OpenAM as issuer for OAuth2 tokens with PoP
      • PoP is optional depending on whether the client presents a public key or not when requesting an access token.
      • IG as resource server validating tokens and PoP material
      • Both Stateful and Stateless OAuth2 tokens are supported.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              joachim.andres Joachim Andres
              Votes:
              3 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated: