New ask Hacker News story: Ask HN: Are there any authorization systems that use PKI instead of tokens?
Ask HN: Are there any authorization systems that use PKI instead of tokens?
2 by anderspitman | 0 comments on Hacker News.
Much of the complexity of OAuth2 (3-legged flow, backchannels, PKCE, etc) stems from the security issues that arise from passing sensitive information around. I'm imagining a system where for each session the client generates a fresh key pair, then sends its public key along in the initial request to the authorization server. After login/if the request is approved, future requests are signed by the client. No token needs to be passed back. However, you would need something like a simple endpoint on the client server where the authorization server could verify that the request originated there. Seems like it would be pretty simple. What am I missing?
2 by anderspitman | 0 comments on Hacker News.
Much of the complexity of OAuth2 (3-legged flow, backchannels, PKCE, etc) stems from the security issues that arise from passing sensitive information around. I'm imagining a system where for each session the client generates a fresh key pair, then sends its public key along in the initial request to the authorization server. After login/if the request is approved, future requests are signed by the client. No token needs to be passed back. However, you would need something like a simple endpoint on the client server where the authorization server could verify that the request originated there. Seems like it would be pretty simple. What am I missing?
Comments
Post a Comment