Where are Sender Constrained Token used in RFC6749?

Hi, Nat Sakimura here.

In the last week’s episode, I have explained what are sender constrained tokens
But you may wonder where these are going to be used.
In RFC 6749 which is the base spec for OAuth 2.0. It doesn’t seem to appear

Well, really?

Let’s check it out!


2 mintues OAuth: Bearer and Sender Constrained Tokens

In the episode #1, I have explained that OAuth uses metro ticket like “tokens” to access a protected resource. These are called bearer tokens as anybody who bears the token can use it. If you lose it, and someone picks it up, she can use it.

There is another type of token in OAuth. It is called “sender constrained token.” It is like an airline boarding pass. Only the person who is entitled to use it can use it. In the case of the airline boarding pass, the name on the boarding pass and the name on your passport must match, and the picture on the passport and your face must match. So, the token is bound to you. In an online scenario such as in the case of OAuth, this is usually done through a cryptographic key material. Unless you hold the key to prove that you are the entitled person, the token cannot be used. Because of this, such a token is often called Holder of Key Token.

In OAuth 2, you can use both types. In a simple low-risk case, a bearer token usually is used while in a higher risk scenario such as banking, a sender constrained token typically is chosen.

So, now you know what “bearer tokens”  and “sender constrained” tokens are.

Before you go, don’t forget to hit the subscribe button if you have not already.

In the next episode, I am going to talk about different endpoints in OAuth.


See you next time!

[2 minutes OAuth] #1 Basic Concepts

I have started a new Youtube video series to explain the concepts of OAuth 2.0 to non-technical people. The series name is “2 minutes OAuth”. As the name suggests, each video will be around two minutes and explains one concept at a time.

The episode #1 explains how OAuth works by taking metro as an example.

You might think

Wait a moment. Is protected resource a train or the gate?

You asking that question is quite correct. In fact, it is one of the shortcomings of the OAuth. It does not distinguish between Policy Enforcement Point and the resource. These are going to be explained later in the series.

For now, what I have in mind for the series are:

  1. Basic concepts
  2. Bearer and Sender constrained tokens
  3. Where are Sender constrained tokens used in RFC6749?
  4. Different Endpoints in OAuth
    1. Authorization Request and Response
    2. Token Request and Response
  5. Confidential and public clients
  6. Access tokens and Refresh tokens
  7. Proof Key for Code Exchange (PKCE)
  8. Implicit flow and code flow
  9. Integrity protected authorization response
  10. JWS Authorization Request (JAR)
  11. PAP, PDP, PEP
  12. (… continues)

I might combine some of them, or split one subject to multiple sub-subjects. They are yet to be seen.

To get updates on my youtube channel, you can subscribe to my channel from here.

I hope you will enjoy it.

What encoding should a URI in OpenID and OAuth discovery document use for an internationalized domain name (IDN)?

So, what encoding should a URI in OpenID Connect and OAuth discovery document use for an internationalized domain name such as “müsik.example.com”? . One option is to represent it in the encoding of the discovery document. As of January 2018, it MUST be UTF-8. Another option is to represent it in …

FAPI Presentation at Open Data in Finance Conference @ London

Here is the presentation file that I used for my 10 minutes OpenID Foundattion Financial API WG presentation at the Open Data in Finance Conference ( June 15, 2016). To join the Working Group, please sign the IPR Contribution agreement online by clicking here or download the PDF form and fill it, scan …