access token theft threat countermeasure
i have been looking at the threat model put forth in this document:
one identified threat is the theft of an access token from a client (the transport layer has not been compromised), and one associated countermeasure is having the resource servers add an extra check validating ownership of the token to the caller.
one way to accomplish that would be to pass client-id/client-secret along with each request.
does anyone know if there are any existing hooks to help accomplish this countermeasure at the s2-oauth client and/or provider?