API Protection by ID Token?

  • A client that has no relationship with the resource server can access APIs of the resource server using an ID token that the client has legitimately obtained in an utterly irrelevant context.
  • The user has granted a permission for the client to get an ID token, but she didn’t imagine that the permission would enable the client to call APIs of the irrelevant resource server.
  • Because an ID token has no concept of scope and the aud claim holds the ID of the client (i.e., the aud claim cannot be used to restrict accessible resources as RFC 8707 proposes), possible options for API protection are just “all allowed” or “all denied”.

--

--

--

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Getting a Bearer Token in Postman / Newman Automatically for a Collection

AuroraFS

7 actionable Laravel course that helps your become to a developer at Weekends

How to Become a Better Software Developer

HackTheBox — Offshore (Review)

Coding Problems and Solutions-5

Schedule Google Cloud STS Transfer Job with Cloud Scheduler

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takahiko Kawasaki

Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

More from Medium

What is Server-Sent Events (SSE) and how to implement it?

Using Bearer Token Authentication

How to unit test middleware in Nest?

NestJS + Auth0

NestJS and Auth0