5.1 Security Considerations for Implementers
Security considerations mentioned in the following specifications ought to be considered when implementing this profile:
Section 10 in The OAuth 2.0 Authorization Protocol [IETFDRAFT-OAuth2.0].
Section 10 in JSON Web Token (JWT) Specification Draft [IETFDRAFT-JWT-LATEST].
Security considerations section in OAuth 2.0 Authentication Protocol Extensions [MS-OAUTH2EX].
In addition the following security aspects ought to be considered:
Access tokens issued by the Security Token Service are Bearer tokens and need to be kept confidential in transit and in storage. It is recommended to use a TLS (SSL) secured channel for transmitting the access tokens.
Because the augmented user identity information in the outer token is not signed by the application, the receiver of the server-to-server token ought to validate that the value of the trustedfordelegation claim is set to true.
The receiver of the server-to-server token ought to validate that the aud (audience) claim in the inner and outer tokens match. Also, it ought to ensure that the token is intended for itself by ensuring that the aud claim contains its hostname.