What is the best way to prevent token Sharing?

Question

I'm looking for ideas to prevent customers from sharing oauth tokens, i.e. the customer that created the token should only be the one using it. What can one do on the server side to prevent this customer from sharing the token with someone else?

Answer 1

There are several IETF RFCs/drafts that try to provide a way to verify the client is the "owner" of the token. These specifications are related to the OAuth2 Framework Protocol, however they can be implemented in any other token exchange contexts.

They are namely:

• MAC Tokens: OAuth 2.0 Message Authentication Code (MAC) Tokens (seems to be abandonned)
• POP Tokens:
  • OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
  • OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution
  • RFC7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

Another interesting protocol the Hawk Tokens: see https://github.com/hueniverse/hawk (Eran Hammer was an OAuth2 contributor)

As you will see it, all these specifications relies on a request signed by the client. This seems to be the best way to verify the client is allowed to use the token. Any other verification such as IP address, User Agent, Device ID... are not reliable as they can be spoofed.