You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This use case will be made possible by 3rd party tokens.
Context
A service delivers a token to a principal, but this token is not usable as is; it requires an identity proof making sure that the holder is the intended one. This mitigates token theft, as the token requires an extra proof to be accepted. For instance, this proof could be provided by a hardware token or a smart card
Example
The token is delivered to principal A. A can prove their identity through the keypair pkA/skA.
Token
right("resource"); // this token grants access to the resource `resource`
check if user("A") trusting {pkA};
As it is, this token cannot be used, as the check cannot be fulfilled.
The only possible way to make this token valid is to append a third party block, signed by skA, containing the fact user("A").
The intended flow is that A adds it right before sending the query, with a very short TTL (a couple seconds), or with checks
that tie the 3rd party block to the request that's being sent.
user("A");
check if time($time), $time < {now + 30 seconds};
check if /* conditions tying the block to the request */
sequenceDiagram
Token Emitter->>A: Token with identity check
A-->>A: Appends Third-Party Block
A->>Service: Presents Token with identity proof appended
Loading
The text was updated successfully, but these errors were encountered:
This use case will be made possible by 3rd party tokens.
Context
A service delivers a token to a principal, but this token is not usable as is; it requires an identity proof making sure that the holder is the intended one. This mitigates token theft, as the token requires an extra proof to be accepted. For instance, this proof could be provided by a hardware token or a smart card
Example
The token is delivered to principal
A.Acan prove their identity through the keypairpkA/skA.Token
As it is, this token cannot be used, as the
checkcannot be fulfilled.The only possible way to make this token valid is to append a third party block, signed by
skA, containing the factuser("A").The intended flow is that
Aadds it right before sending the query, with a very short TTL (a couple seconds), or with checksthat tie the 3rd party block to the request that's being sent.
sequenceDiagram Token Emitter->>A: Token with identity check A-->>A: Appends Third-Party Block A->>Service: Presents Token with identity proof appendedThe text was updated successfully, but these errors were encountered: