Ask HN: Why does OAuth2 use tokens instead of key pairs?
A lot of OAuth2 attacks are related to leaking access or refresh tokens.
Especially with modern web crypto APIs, why not create a non-exportable key pair, include the public key with the authorization request, and activate it with the token request?
Authorized requests need to include some precautions against replay attacks and be signed by the private key.
I feel like I'm missing something obvious.
0 comments
[ 2.7 ms ] story [ 7.2 ms ] threadNo comments yet.