Outway should request the access-token
The standard does not tell which component should request the access-token. This is an implementation detail. This decision conflicts with the certificate bound access-token RFC 8705. The certificate to which the access-token must be bound must also be the certificate requesting the access-token.
-
Write ADR -
Update the standard -
Update the reference implementation
possible solution for reference implementation:
- remove internal getToken call from manager
- change external getToken call to get cert thumbprint from connection instead of request body
- add internal getTokenInfo call to manager. This should return the grant info and peer address where the outway can get the token from. The grant info should contain all info needed for the external getToken call. The manager should also check if the contract is valid.
- outway calls external getToken on peer manager address
- outway checks the token he gets with the info in the grant that he got from his internal manager
Edited by Henk van Maanen