I get the basic OAuth and PKI flow and the different actors involved but I'm still unsure how public/private keys play a role.
When a client identifies itself upon registration with a certified public key, is that key then bound to the access token?
Asked
Active
Viewed 8,435 times
1 Answers
3
Prereqs:
See this question for a rough overview of how OAuth works.
See this question for a rough overview of how public key SSL/TLS works.
See this question for a rough overview of how SSL certificates relate to identity.
The meat of the matter:
Public/Private key systems can be used to provide three kinds of services:
- symmetric session encryption
- asymmetric session encryption
- identity verification (often coupled with authentication)
Technically, none of the above three services are required for an OAuth system to work properly - it's very possible to build an OAuth system which doesn't use public/private keys for anything, at all.
That said, OAuth systems will often rely on property 1 of public/private key systems to ensure that OAuth related communication is encrypted, usually by building communication protocols on top of existing TLS/SSL based systems. They will also often rely on property 3 to provide one-sided identity verification, usually by relying on external, built in browser components, which implicitly perform that function.
blueberryfields
- 168
- 6
-
that cleared up alot :) thnx – MizziPizzi May 08 '14 at 07:33