论文信息 - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer - 字舞流文

OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows to detect replay attacks with access and refresh tokens.

Michael Jones | Brian Campbell | Torsten Lodderstedt | Daniel Fett | John Bradley

[1] Brian Campbell,et al. OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens , 2020, RFC.

[2] Dick Hardt,et al. The OAuth 2.0 Authorization Framework , 2012, RFC.

[3] Michael B. Jones,et al. JSON Web Key (JWK) Thumbprint , 2015, RFC.

[4] Roy T. Fielding,et al. Uniform Resource Identifier (URI): Generic Syntax , 2005, RFC.

[5] William Denniss,et al. OAuth 2.0 Token Binding , 2018 .

[6] Phillip Rogaway,et al. The OCB Authenticated-Encryption Algorithm , 2014, RFC.

[7] Scott O. Bradner,et al. Key words for use in RFCs to Indicate Requirement Levels , 1997, RFC.

[8] Barry Leiba,et al. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words , 2017, RFC.

[9] John Bradley,et al. OAuth 2.0 Security Best Current Practice , 2000 .