Skip to main content


Showing posts from September, 2019

OAuth2 With Contextual Binding

I've blogged a few times regarding the trend of implementing Zero Trust and CARTA (Continuous Adaptive Risk and Trust Assessment) style journeys during typical Web single sign on flows.  I want to riff on that process a little, with an update on how to implement something similar for OAuth2/OIDC access tokens. Why is this important? Well sometimes it is important to apply some context to a particular authorization flow.  Not all access decisions are the same.  Think of the following nuanced situations: Two users with the same set of scopes, have different API consumption patterns A particular user has downloaded a malicious app which alters the botnet reputation of the request IP address A particular user has registered their work email address with a site that experienced a credentials breach A media site is behind a paywall and limits access to organisational IP ranges, but a user frequently works in the field These sorts of flows, are a little bit different to the st