11. Proof-of-Possession for JWTs
• Standard defined in RFC 7800.
• Adds a “cnf” (confirmation) claim to the token, which enables
the recipient to verify the caller.
12. PoP JWTs with “cnf” claim
Client
API
API
Gateway
Authorization
Server
public key
private key
+ proof of
{
“cnf”: {
“kid”: “1234”
}
}
+ proof of
15. HTTP 400
Standard OAuth Authorization Requests
GET /authorize?client_id=abc&scopes=read%20write
HTTP 302
Location: /cb?code=123
Is that a legitimate client?
Are the parameters OK?
Can these end up in the browser logs?
Client Authorization
Server
16. Pushed Authorization Requests
POST /authorize/par
Authorization: Basic 0JjQlNCYOtCd0JDQpdCj0Jkh
client_id=abc&scopes=read%20write
request_id: 1234
GET /authorize?request_id=1234
Client Authorization
Server
17. Pushed Authorization Requests
• The client is authenticated before the authorization request.
• Authorization request parameters can’t be tampered with.
• Request parameters do not traverse through unsecure transport.
• URL limitations are no longer a concern.
• Ability to ease on redirect URI restrictions.
23. JWT Secured Authorization Response Mode
•The code response is integrity-protected.
•Response parameters strongly coupled (mitigates replay attacks).
•Protection from mix-up attacks (ability to verify iss claim).
24. Key Takeways
• Struggle to use mTLS wherever that’s possible.
• Remember sender-constrained access tokens if stealing the token is what
troubles you.
• Give PAR and JARM a try if you’re concerned with some attack vectors against
authorization requests and responses.
• Don’t discard security solutions because you’re in a different business sector.