Ephemeral tokens are a valid approach and some systems use exactly that.
The difference with Shamir is what happens if the proxy itself is
compromised. With token exchange the proxy holds or can reconstruct
the real key server side. A compromised proxy is game over for the
credential.
alt Hacker News
Ephemeral tokens are a valid approach and some systems use exactly that.
The difference with Shamir is what happens if the proxy itself is compromised. With token exchange the proxy holds or can reconstruct the real key server side. A compromised proxy is game over for the credential.