Session discussing customer issues around securing an API:
Customers: Met Police, University of Exeter, Lloyds, Kainos, IDNucleus
One customer had no No security on their REST APIs
OAuthm Token-types (SAML)
Question: Security end-to-end:
How to obtain proof-of-possession (of token)
Question: Upgrading a token with OAuth?
A user access the web application (and authenticates). This web application calls different web services to deliver the service passing on access tokens. However at some point an access token might not have the right scope/claim. Looking for a way to challenge the user sitting in front of his web browser for a session upgrade and subsequently access tokens which appropriate scopes.
Joachim: I think this is a valid use case, but I don't know if there is a flow to combine