Couple things that can start to help with this situation:
Token Binding + client TLS certs
You store the private keys for the client TLS cert in your TPM, then you can indicate the TLS cert fingerprint in the JWT. The server validating the JWT ensures that the fingerprint in the token matches the TLS remote side certificate fingerprint. This gets part of what you are asking about.
OAuth Proof of Possession
Similar concept, as part of the JWT validation, you can require that the sender prove they have possession of a specific private key.
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Token Binding/Proof of Possession
Date: 2022-04-05 06:30 pm (UTC)Couple things that can start to help with this situation:
Token Binding + client TLS certs You store the private keys for the client TLS cert in your TPM, then you can indicate the TLS cert fingerprint in the JWT. The server validating the JWT ensures that the fingerprint in the token matches the TLS remote side certificate fingerprint. This gets part of what you are asking about.
OAuth Proof of Possession Similar concept, as part of the JWT validation, you can require that the sender prove they have possession of a specific private key.