Slide 22
Slide 22 text
22
@leastprivilege
Bearer Tokens
• No binding to client
– attacker could use leaked token
to call APIs
– invoice.api can call customer.api
(or vice versa)
{
"typ": "JWT",
"alg": "RS256"
"kid": "1"
}
{
"iss": "https://my_issuer",
"exp": "1340819380",
"aud": [ "invoice.api",
"customer.api" ]
"client_id": "client1",
}
Header
Payload
JWT