CLAIMS
1. A method comprising:
at a first server including one or more processors and a non-transitory memory:
provisioning for a client device a real-world time, a client public key, and a client
private key;
generating one or more provisioning response messages that include one or more of the
client public key, the client private key, the real-world time, and an assertion object, wherein
the assertion object includes a reference to the client public key; and
sending the one or more provisioning response messages to the client device.
2. The method of claim 1, wherein the provisioning request includes an initial
provisioning token for the client device, and the method further includes:
receiving, via a second server, a request for the initial provisioning token from the client
device, wherein the request includes a unique identifier associated with the client device;
generating the initial provisioning token in response to receiving the request, including
binding data to be included in the assertion object to the unique identifier; and
sending, via the second server, the initial provisioning token to the client device.
3. The method of claim 2, wherein:
a code is generated by the second server, bounded to the unique identifier, and provided
to the client device by the second server upon successful authentication of the client device by
the second server; and
the request for the initial provisioning token is forwarded by the second server upon a
successful validation of a code from the client device.
4. The method of claim 2, wherein the assertion object is signed with a key, and the
method further includes:
sharing the key with the second server to validate the assertion object.
5. The method of claim 2, further comprising:
receiving a validation request from the second server, wherein the validation request
includes the assertion object; and
sending to the second server a validation indicator upon validating the assertion object.
41
6. The method of claim 2, wherein:
the first server and the second server are distinct from a third server for providing
resources to the client device; and
the second server receives an authorization request for access to the third server
including an application access token and parameters associated with the third server, validates
the authorization request, and upon validating the authorization request, generates a resource
server access token for access to the third server based on the parameters and sends the resource
server access token to the device.
7. The method of claim 1, further comprising:
provisioning a symmetric signing key unique for the client device, wherein the client
device uses the symmetric signing key to sign an authorization proof token, and the signed
authorization proof token is verifiable by a third server.
8. The method of claim 7, further comprising:
synchronizing a secret between the first server and a second server, wherein the second
server shares the secret with the third server,
wherein provisioning the symmetric signing key unique for the client device includes:
generating a wrap for the symmetric signing key by encrypting the symmetric
signing key with the secret, and
sending the symmetric signing key, the wrap, and a key identifier associated
with the secret to the client device.
9. The method of claim 7, further comprising:
synchronizing a seed between the first server and a second server, wherein the second
server shares the seed with the third server,
wherein provisioning the symmetric signing key unique for the client device includes:
deriving the symmetric signing key from the seed, and
sending the symmetric signing key and a key identifier associated with the seed
to the client device.
10. The method of claim 7, wherein provisioning the symmetric signing key unique for the
client device includes causing the third server to store the symmetric signing key and a client
identifier associated with the symmetric signing key in a data store.