Skip to main content


Showing posts from 2019

OAuth2 With Contextual Binding

I've blogged a few times regarding the trend of implementing Zero Trust and CARTA (Continuous Adaptive Risk and Trust Assessment) style journeys during typical Web single sign on flows.  I want to riff on that process a little, with an update on how to implement something similar for OAuth2/OIDC access tokens. Why is this important? Well sometimes it is important to apply some context to a particular authorization flow.  Not all access decisions are the same.  Think of the following nuanced situations: Two users with the same set of scopes, have different API consumption patterns A particular user has downloaded a malicious app which alters the botnet reputation of the request IP address A particular user has registered their work email address with a site that experienced a credentials breach A media site is behind a paywall and limits access to organisational IP ranges, but a user frequently works in the field These sorts of flows, are a little bit different to the st

Implementing JWT Profile for OAuth2 Access Tokens

There is a new IETF draft stream called  JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens.   This is a very early 0 version, that looks to describe the format of OAuth2 issued access_tokens. Access tokens, are typically bearer tokens, but the OAuth2 spec, doesn't really describe what format they should be.  They typically end up being two high level types - stateless and stateful.  Stateful just means "by reference", with a long opaque random string being issued to the requestor, which resource servers can then send back into the authorization service, in order to introspect and validate.  On their own, stateful or reference tokens, don't really provide the resource servers with any detail. The alternative is to use a stateless token - namely a JSON Web Token (JWT).  This new spec, aims to standardise what the content and format should be. From a ForgeRock AM perspective, this is good news.  AM has delivered JWT based tokens (web session, OIDC id_tokens