OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
draft-ietf-oauth-pop-key-distribution-02

The information below is for an old version of the document
Document Type Expired Internet-Draft (oauth WG)
Last updated 2016-04-21 (latest revision 2015-10-19)
Replaces draft-bradley-oauth-pop-key-distribution
Stream IETF
Intended RFC status Proposed Standard
Formats
Expired & archived
plain text pdf html bibtex
Stream WG state WG Document
Document shepherd Kepeng Li
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Kepeng Li" <kepeng.lkp@alibaba-inc.com>

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at
https://www.ietf.org/archive/id/draft-ietf-oauth-pop-key-distribution-02.txt

Abstract

RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource. This document describes how the client obtains this keying material from the authorization server.

Authors

John Bradley (ve7jtb@ve7jtb.com)
Phil Hunt (phil.hunt@yahoo.com)
Michael Jones (mbj@microsoft.com)
Hannes Tschofenig (Hannes.Tschofenig@gmx.net)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)