In a previous blog post, we discussed the prevalence of bearer tokens (or access tokens) to restrict access to protected resources, the challenges the sheer nature of bearer tokens present, and available mitigations. To recap, presenting a bearer token is proof enough of an authorization grant to avail the service and access resources protected by the token. This poses many security risks such as using stolen or leaked tokens to gain unauthorized access. The solution to overcome this weakness is to use proof-of-possession(PoP) tokens or sender-constrained tokens. These are still access tokens but are limited to only being used by the client/entity that originally obtained it. This is achieved in two-fold:
Bearer tokens can be constrained in such a way that only the client/entity that received it can actually be used. When such tokens are presented as an authorization grant, the receiving service/API can evaluate the legitimacy of the token by asking for proof of possession. Access is granted only if the presenter of the token also produces the proof. Since only the client/entity to whom the token was originally issued can present the proof, requests with stolen or leaded tokens are rejected. This approach renders the stolen tokens unusable.
Asymmetric cryptography and JWT based proof of possession : OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer.