-
Notifications
You must be signed in to change notification settings - Fork 0
Ephemeral Clients
Justin Richer edited this page Aug 4, 2020
·
1 revision
A single page app is spun up on-demand by a user to do some processing of data stored on a protected API. The SPA generates its own keypair that exists only while the SPA is active and is destroyed afterwards. The trust of the client is entirely through the identity and attestation of the user -- if the user approves the current software, then that's all the AS needs to know. Since the client will disappear when processing is finished, requiring registration doesn't make sense since any registered credentials will never be used again. Any tokens issued should be tied to the app's keypair, and so use of the token dies when the keypair is destroyed.