GNAP: Grant Negotiation and Authorization Protocol Explained | Identity Expert

This video describes security mechanisms as defined in published standards. It is not a substitute for a professional security review of your own implementation. OAuth 2.0 is thirteen years old. What started as a single specification has grown into a protocol family spanning more than twenty RFCs — PKCE, PAR, RAR, DPoP, JAR, CIBA — each one patching a gap the original design never anticipated. GNAP — the Grant Negotiation and Authorization Protocol, standardized in RFC 9635 (October 2024) — is the IETF TXAUTH working group's answer to that accumulated complexity. In this video you'll learn exactly what GNAP changes and why it matters: • The four OAuth 2.0 limitations GNAP was designed to fix: no native rich access descriptions, no clean public-client flow after the implicit flow was deprecated, no key rotation without re-authorization, and rigid static client registration • How the GNAP transaction model works end-to-end: POST /tx, AS-driven interaction selection, the continuation endpoint, and key-bound token issuance • What GNAP payloads actually look like on the wire — structured access arrays, inline JWK key proofs, httpsig signatures, and the interact finish hash • The threat model: interaction reference substitution (GNAP's most critical risk), continuation token theft, client impersonation, and AS metadata spoofing • Where GNAP is heading: RFC 9767 for RS connections, GNAP Multi-Owner Resources for healthcare and finance, composition with RAR (RFC 9396), and current adoption status in Open Payments This is an advanced episode. You should be comfortable with OAuth 2.0 authorization code flow and basic JWT/JWK concepts before watching. ⏱ Chapters are in the description below. 📚 Sources: RFC 9635, RFC 9767, RFC 9421, RFC 9396, GNAP WG charter — links below. 🔔 Subscribe for weekly deep-dives into identity, authorization, and security protocols. --- 📖 Sources • RFC 9635 — GNAP Core: https://datatracker.ietf.org/doc/html/rfc9635 • RFC 9767 — GNAP Resource Server Connections: https://datatracker.ietf.org/doc/html/rfc9767 • IETF TXAUTH Working Group Charter: https://datatracker.ietf.org/wg/txauth/about/ • RFC 9396 — Rich Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9396 • OAuth Security BCP (draft-ietf-oauth-security-topics): https://datatracker.ietf.org/doc/html/draf... --- #gnap #oauth #rfc9635 #authorization #identityexpert --- Sources cited above are IETF RFCs, OIDF specifications, or W3C/OASIS standards — all freely reproducible for educational use. For educational purposes only. Specs evolve — always check the latest version of the standard. --- 0:00 GNAP — Why OAuth needed a redesign 1:30 Channel intro 2:47 The analogy: valet key vs smart contract 4:12 The technical picture — four OAuth limitations 5:40 How GNAP works — the transaction model 7:05 On the wire — real GNAP payloads 8:42 Threat model 10:24 Future outlook — RFC 9635 and beyond 10:28 Sources #oauth2 #appsecurity