![Secret of Authorization Code [OAuth 2 min]](https://i0.wp.com/nat.sakimura.org/wp-content/uploads/2018/08/05-Why-Authorization-Code.jpg?resize=430%2C350&ssl=1)
This week, I have explained often an untalked property of OAuth 2.0.
Where are Sender Constrained Token used in RFC6749?
Hi, Nat Sakimura here.
In the last week’s episode, I have explained what are sender constrained tokens
But you may wonder where these are going to be used.
In RFC 6749 which is the base spec for OAuth 2.0. It doesn’t seem to appear
Well, really?
Let’s check it out!
2 mintues OAuth: Bearer and Sender Constrained Tokens
In the episode #1, I have explained that OAuth uses metro ticket like “tokens” to access a protected resource. These are called bearer tokens as anybody who bears the token can use it. If you lose it, and someone picks it up, she can use it.
There is another type of token in OAuth. It is called “sender constrained token.” It is like an airline boarding pass. Only the person who is entitled to use it can use it. In the case of the airline boarding pass, the name on the boarding pass and the name on your passport must match, and the picture on the passport and your face must match. So, the token is bound to you. In an online scenario such as in the case of OAuth, this is usually done through a cryptographic key material. Unless you hold the key to prove that you are the entitled person, the token cannot be used. Because of this, such a token is often called Holder of Key Token.
In OAuth 2, you can use both types. In a simple low-risk case, a bearer token usually is used while in a higher risk scenario such as banking, a sender constrained token typically is chosen.
So, now you know what “bearer tokens” and “sender constrained” tokens are.
Before you go, don’t forget to hit the subscribe button if you have not already.
In the next episode, I am going to talk about different endpoints in OAuth.
See you next time!
![[2 minutes OAuth] #1 Basic Concepts](https://i2.wp.com/nat.sakimura.org/wp-content/uploads/2018/07/epi-01-thumbnail.png?resize=430%2C350&ssl=1)
[2 minutes OAuth] #1 Basic Concepts
I have started a new Youtube video series to explain the concepts of OAuth 2.0 to non-technical people. The series name is “2 minutes OAuth”. As the name suggests, each video will be around two minutes and explains one concept at a time.
The episode #1 explains how OAuth works by taking metro as an example.
You might think
Wait a moment. Is protected resource a train or the gate?
You asking that question is quite correct. In fact, it is one of the shortcomings of the OAuth. It does not distinguish between Policy Enforcement Point and the resource. These are going to be explained later in the series.
For now, what I have in mind for the series are:
- Basic concepts
- Bearer and Sender constrained tokens
- Where are Sender constrained tokens used in RFC6749?
- Different Endpoints in OAuth
- Authorization Request and Response
- Token Request and Response
- Confidential and public clients
- Access tokens and Refresh tokens
- Proof Key for Code Exchange (PKCE)
- Implicit flow and code flow
- Integrity protected authorization response
- JWS Authorization Request (JAR)
- PAP, PDP, PEP
- (… continues)
I might combine some of them, or split one subject to multiple sub-subjects. They are yet to be seen.
To get updates on my youtube channel, you can subscribe to my channel from here.
I hope you will enjoy it.