OAuth 2.0 Proof of Possession

user authenticating

OAuth 2.0 simplified its problem space by making Proof Of Possession tokens optional, replacing them with Bearer tokens as the standard choice. This was controversial, (partially) causing one of the authors to quit. But, good news, Proof Of Possession tokens are back for OAuth 2.0.

Now, back to the author who quit. He gave an entertaining talk on how bad OAuth 2 is. Yes, OAuth 2.0 was designed prior to modern web applications (it viewed the world through a PHP lens), but, OpenID Connect was built on top of it and we’ve moved on.

OK, now that you’ve watched that and are somewhat concerned about your own use of OAuth 2.0, you are wondering if you should switch from Bearer to PoP. There is also the in-progress draft for Demonstration of Proof of Concept, confusing you more.

Well, lets start with the basics. Content Security Policy. Cross-Site-Scripting. Once these are in place, evaluate, how can my Bearer (Access) token be stolen? If you can come up with a reasonable way, fix it. While you are doing that, evaluate these two drafts on Proof of Possession. As they progress, if they become standard, adopt.

Is Proof of Possession better? Yes. Is OAuth 2.0 better than “proprietary auth scheme written by unknown vendor”? Yes. So you are better using a spec which is being improved, than something hidden which is unknown.

Leave a Reply

Your email address will not be published.