Month: September 2016

The OAuth Token Binding specification has been revised to use the Referred Token Binding ID when performing token binding of access tokens. This was enabled by the Implementation Considerations in the Token Binding HTTPS specification being added to make it clear that Token Binding implementations will enable using the Referred Token Binding ID in this manner. Protected Resource Metadata was also defined.

Thanks to Brian Campbell for clarifications on the differences between token binding of access tokens issued from the authorization endpoint versus those issued from the token endpoint.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-token-binding-01

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-token-binding-01.html

The initial working group draft of the OAuth Token Binding specification has been published. It has the same content as draft-jones-oauth-token-binding-00, but with updated references. This specification defines how to perform token binding for OAuth access tokens and refresh tokens. Note that the access token mechanism is expected to change shortly to use the Referred Token Binding, per working group discussions at IETF 96 in Berlin.

The specification is available at:

• http://tools.ietf.org/html/draft-ietf-oauth-token-binding-00

An HTML-formatted version is also available at:

• https://self-issued.info/docs/draft-ietf-oauth-token-binding-00.html