Martin's selection of few interesting IT Security, Privacy, and free tools from the Net: "Token Binding" - New upcoming RFC Standard - Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued

Thursday, August 23, 2018

"Token Binding" - New upcoming RFC Standard - Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued

It turns out that cookies and tokens can be used outside of the original TLS context in all sorts of malicious ways. It could be hijacked session cookies or leaked access tokens, or sophisticated MiTM. This is why the IETF OAuth 2 Security Best Current Practice draft recommends token binding,

Normally tokens are “bearer” tokens, meaning that whoever possesses the token can exchange the token for resources, but token binding improves on this pattern, by layering in a confirmation mechanism to test cryptographic material collected at time of token issuance against cryptographic material collected at the time of token use. Only the right client, using the right TLS channel, will pass the test. This process of forcing the entity presenting the token to prove itself, is called “proof of possession”.

https://cloudblogs.microsoft.com/enterprisemobility/2018/08/21/its-time-for-token-binding/

Martin's selection of few interesting IT Security, Privacy, and free tools from the Net

Thursday, August 23, 2018

"Token Binding" - New upcoming RFC Standard - Token binding makes cookies, OAuth access tokens and refresh tokens, and OpenID Connect ID Tokens unusable outside of the client-specific TLS context in which they were issued

No comments:

Post a Comment

Popular Posts

Categories

Blog Archive