Security Consideration: Mutual Authentication of the TraT Request
Closed this issue · 3 comments
The requirement that clients must be pre-registered feels like it perpetuates the problem we see with workload identities, where the client identity may not be known ahead of time. This is not unlike the problems we see with wallets and the need for some way to let clients authenticate without being pre-registered.
I wonder if we can remove this requirement and instead rely on some form of authentication where the trust is in the credential issuer. For example, with SPIFFE, there is an authority that issues the credential to the workload, so as long as the client presents a credential issued by the authority, it could be trusted (provided the authority is trusted).
I'm thinking we should just rely on SPIFFE / SPIRE to solve this issue and not have to address it in the transaction tokens draft.
There is other work in the pipeline to remove the need for client registration. Perhaps we should reference it here?
1.https://vcstuff.github.io/draft-looker-oauth-attestation-based-client-authentication/draft-looker-oauth-attestation-based-client-authentication.html
2.https://mattrglobal.github.io/draft-looker-oauth-client-id-scheme/draft-looker-oauth-client-id-scheme.html
Current spec removes client pre-registration and references SPIFFE - closing issue.