Overview#OAuth 2.0 Proof-of-Possession (PoP) Security Architecture OAuth 2.0 Proof-of-Possession (PoP) Security Architecture defined in an Internet Draft draft-ietf-oauth-pop-architecture-07.txt.
The OAuth 2.0 protocol family (RFC 6749, RFC 6750, and RFC 6819) offer a single token type known as the "bearer" token to access protected resources. RFC 6750 RFC 6750 specifies the bearer token mechanism and defines it as follows: "A security token with the property that any party in possession of the token (a "bearer") can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material."
The bearer Token meets the security needs of a number of use cases the OAuth 2.0 protocol had originally been designed for. There are, however, other scenarios that require stronger security properties and ask for active participation of the OAuth Client in form of cryptographic computations when presenting an Access Token to a Resource Server.
OAuth 2.0 Proof-of-Possession (PoP) Security Architecture outlines
- use cases requiring stronger security protection:
- Describes Security and Privacy Threats
- proposes different ways to mitigate those threats
- lists requirements of the Architecture.
- Discusses Threat Mitigation
- Outlines an architecture for a solution that builds on top of the existing OAuth 2.0 framework