5A/ Token Binding – Proof-of-Possession for cookies, ID Tokens JWt’s & OAuth Tokens

From IIW

Token Binding – Proof-of-Possession for cookies, ID Tokens, JWTs & OAuth Tokens

Tuesday 5A

Convener: Brian Campbell

Notes-taker(s): Brian Campbell

Tags for the session - technology discussed/ideas considered: Token Binding, TLS, Proof-of-Possession, HoK, OpenID Connect, OAuth, cookies, HTTPS, etc.

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The session was an introduction to Token Binding, which is a soon to be set of RFCs that enable long-lived bindings to client/browser generated asymmetric keys that span multiple TLS connections. Cookies and other security tokens can be cryptographically bound to such a client key via the TLS layer, preventing token export and replay attacks.

Some additional resources (draft specs at this time):

Token Binding:




Token Binding Application in OpenID Connect:


Token Binding Application in OAuth: