Session discussing customer issues around securing an API:

  1. Focus:

    1. Protect APIs

      1. No security on REST APIs

    2. Evolution

      1. OAuthm Token-types (SAML)

  2. Questions:

    1. Question: Security end-to-end:

      1. How to obtain proof-of-possession (of token)

    2. Question: Upgrading a token with OAuth?

      1. A user access the web application (and authenticates). This web application calls different web services to deliver the service passing on access tokens. However at some point an access token might not have the right scope/claim. Looking for a way to challenge the user sitting in front of his web browser for a session upgrade and subsequently access tokens which appropriate scopes.

      2. Joachim: I think this is a valid use case, but I don't know if there is a flow to combineĀ