Two new related specifications define syntax and semantics for applying Token Binding to OAuth Access Tokens and Refresh Tokens and to OpenID Connect ID Tokens. draft-jones-oauth-token-binding contains the OAuth portions. openid-connect-token-bound-authentication-1_0 contains the OpenID Connect portions.
These are being submitted now to hopefully enable end-to-end implementations and interop testing of Token Bound Access Tokens, Refresh Tokens, and ID Tokens across multiple platforms before the Token Binding specifications are finalized.
The OAuth specification is available at:
- https://tools.ietf.org/html/draft-jones-oauth-token-binding-00 (HTMLized text plus links to other formats)
- https://self-issued.info/docs/draft-jones-oauth-token-binding-00.html (HTML)
The OpenID Connect specification is available at:
- https://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.html (HTML)
- https://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.txt (Text)
- https://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.xml (XML Source)
Thanks to Andrei Popov, Yordan Rouskov, John Bradley, and Brian Campbell for reviews of earlier versions of these specifications and to Dirk Balfanz and William Denniss for some earlier discussions providing input to these specifications.