I am using ThinkTecture idenity server v3 as Idenity provider. It issues me access tokens. I am using these access tokens for web API communication. It works perfectly.
My Question is If anyone got this issued token and try to access the web API using this access token, he/she got access. I verified it, I got the access. How can we restrict that the access token being used only by the issued machine?
You are right - there is currently only a standard for so called bearer tokens. Whoever has the token, can use it. That's why it is paramount to use transport protection for all network communication.
There are upcoming specs for proof of possession semantics and request signatures.
https://tools.ietf.org/wg/oauth/