Skip to main content

OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
draft-ietf-oauth-pop-key-distribution-03

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Expired & archived
Authors John Bradley , Phil Hunt , Michael B. Jones , Hannes Tschofenig
Last updated 2017-08-28 (Latest revision 2017-02-24)
Replaces draft-bradley-oauth-pop-key-distribution
RFC stream Internet Engineering Task Force (IETF)
Formats
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd Kepeng Li
IESG IESG state Expired
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to "Kepeng Li" <kepeng.lkp@alibaba-inc.com>

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:

Abstract

RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource. This document describes how the client obtains this keying material from the authorization server.

Authors

John Bradley
Phil Hunt
Michael B. Jones
Hannes Tschofenig

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)