Abstract: Techniques for server control of client authorization proof of possession are described herein. In various embodiments, a first server provisions client authorization proof of possession for a client device a real-world time, a client public key, and a client private key. The first server generates provisioning response message(s) including the client public key, the client private key, the real-world time, and/or an assertion object, and sends the message(s) to the client device. In various embodiments, a client device obtains an authorization proof token generated based on a client public key, a client private key, and a real-world time provisioned by a first server. The client device generates a request and sends the request to a second server, the request includes the authorization proof token and an assertion object from the first server signed by a server private key and an expiration time and a reference to the client public key.

Abstract: Techniques for server control of client authorization proof of possession are described herein. In various embodiments, a first server provisions client authorization proof of possession for a client device a real-world time, a client public key, and a client private key. The first server generates provisioning response message(s) including the client public key, the client private key, the real-world time, and/or an assertion object, and sends the message(s) to the client device. In various embodiments, a client device obtains an authorization proof token generated based on a client public key, a client private key, and a real-world time provisioned by a first server. The client device generates a request and sends the request to a second server, the request includes the authorization proof token and an assertion object from the first server signed by a server private key and an expiration time and a reference to the client public key.