13:40 - 14:40
Talk (60 min)
OAuth and Proof of Possession - The long way round
One of the most controversial decisions around OAuth 2.0 was the omission of a mechanism to cryptographically bind access tokens to their owners.
In favor of simplicity, only the Bearer token type was specified with the firm plan to add proof of possession at a later point. Turns out the problem was harder than expected and for the better part of the following decade there was no solution. Today multiple industries and verticals require that extra security feature and there are now two fundamental ways how to achieve sender constraining. This talk looks at the history of proof of possession and the ways to implement it today.