Where are Sender Constrained Token used in RFC6749?

Hi, Nat Sakimura here.

In the last week’s episode, I have explained what are sender constrained tokens
But you may wonder where these are going to be used.
In RFC 6749 which is the base spec for OAuth 2.0. It doesn’t seem to appear

Well, really?

Let’s check it out!


2 mintues OAuth: Bearer and Sender Constrained Tokens

In the episode #1, I have explained that OAuth uses metro ticket like “tokens” to access a protected resource. These are called bearer tokens as anybody who bears the token can use it. If you lose it, and someone picks it up, she can use it.

There is another type of token in OAuth. It is called “sender constrained token.” It is like an airline boarding pass. Only the person who is entitled to use it can use it. In the case of the airline boarding pass, the name on the boarding pass and the name on your passport must match, and the picture on the passport and your face must match. So, the token is bound to you. In an online scenario such as in the case of OAuth, this is usually done through a cryptographic key material. Unless you hold the key to prove that you are the entitled person, the token cannot be used. Because of this, such a token is often called Holder of Key Token.

In OAuth 2, you can use both types. In a simple low-risk case, a bearer token usually is used while in a higher risk scenario such as banking, a sender constrained token typically is chosen.

So, now you know what “bearer tokens”  and “sender constrained” tokens are.

Before you go, don’t forget to hit the subscribe button if you have not already.

In the next episode, I am going to talk about different endpoints in OAuth.


See you next time!

[2 minutes OAuth] #1 Basic Concepts

I have started a new Youtube video series to explain the concepts of OAuth 2.0 to non-technical people. The series name is “2 minutes OAuth”. As the name suggests, each video will be around two minutes and explains one concept at a time.

The episode #1 explains how OAuth works by taking metro as an example.

You might think

Wait a moment. Is protected resource a train or the gate?

You asking that question is quite correct. In fact, it is one of the shortcomings of the OAuth. It does not distinguish between Policy Enforcement Point and the resource. These are going to be explained later in the series.

For now, what I have in mind for the series are:

  1. Basic concepts
  2. Bearer and Sender constrained tokens
  3. Where are Sender constrained tokens used in RFC6749?
  4. Different Endpoints in OAuth
    1. Authorization Request and Response
    2. Token Request and Response
  5. Confidential and public clients
  6. Access tokens and Refresh tokens
  7. Proof Key for Code Exchange (PKCE)
  8. Implicit flow and code flow
  9. Integrity protected authorization response
  10. JWS Authorization Request (JAR)
  11. PAP, PDP, PEP
  12. (… continues)

I might combine some of them, or split one subject to multiple sub-subjects. They are yet to be seen.

To get updates on my youtube channel, you can subscribe to my channel from here.

I hope you will enjoy it.

What encoding should a URI in OpenID and OAuth discovery document use for an internationalized domain name (IDN)?

So, what encoding should a URI in OpenID Connect and OAuth discovery document use for an internationalized domain name such as “müsik.example.com”? . One option is to represent it in the encoding of the discovery document. As of January 2018, it MUST be UTF-8. Another option is to represent it in …

Blockchain Use cases and Identity

I just came across with Don Tapscott’s TED Talk titled “How the blockchain is changing money and business” . In it, he talks about 5 potential use cases of blockchain technology that may result in transformations for a prosperous world. They are: Protecting rights through immutable records, e.g., land title. In many places …