%% You should probably cite draft-tschofenig-oauth-hotk-03 instead of this revision. @techreport{tschofenig-oauth-hotk-01, number = {draft-tschofenig-oauth-hotk-01}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk/01/}, author = {John Bradley and Phil Hunt and Anthony Nadalin and Hannes Tschofenig}, title = {{The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token Usage}}, pagetotal = 22, year = 2012, month = jul, day = 16, abstract = {OAuth 2.0 deployments currently rely on bearer tokens for securing access to protected resources. Bearer tokens require Transport Layer Security to be used between an OAuth client and the resource server when presenting the access token. The security model is based on proof-of-possession: access token storage and transfer has to be done with care to prevent leakage. There are, however, use cases that require a more active involvement of the OAuth client for an increased level of security, particularly to secure against token leakage. This document specifies an OAuth security framework using the holder-of-the-key concept, which requires the OAuth client when presenting an OAuth access token to also demonstrate knowledge of keying material that is bound to the token.}, }