Episode 081: 01‐23‐2025 OAuth Status List and Attestation‐Based Client Authentication - GluuFederation/identerati-office-hours GitHub Wiki

Title: OAuth Status List and Attestation-Based Client Authentication

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Paul Bastian, Senior Innovation Developer at Bundesdruckerei-Gruppe
• Co-Host: Christian Bormann, Senior Expert Emerging Technologies at Bosch Digital

Linkedin Event

Description

In SAML, the entityID identifier is used for both IDPs and RPs. But in OpenID Connect, there is no stable identifier for the RP. This has become problematic for verifiable credential presentation. One solution is to enable the client to assert their identity, via an attestation. Oversight? Feature? Either way, it's going to be really helpful! We're going to save a few minutes at the end to talk about a new draft OAuth standard for Status Lists, which is like a more efficient "certificate revocation list" design to revoke JWT tokens. Clients should verify not only the signature, but also the status of the token--just like we check for revocation of X.509 certificates.

Homework

• Token Status List
• OAuth 2.0 Attestation-Based Client Authentication

Takeaways

TBD

Livestream Audio Archive

Will be Here