Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow

Tue, 10 Mar 2020 00:02:25 -0700 

Hi Mike,

Thank you for the implicit dpop draft, quick questions

- what htu and htm should be used when used with PAR?
- is it fair to say that authorization request provided dpop parameters only 
apply to authorization endpoint issued access tokens and in case of hybrid flow 
- the client sends a new proof with the access token request to the token 
endpoint?

Best,
Filip

Odesláno z iPhonu

> 10. 3. 2020 v 1:12, Mike Jones 
> <[email protected]>:
> 
> 
> As I previously described, members of the OAuth working group have developed 
> a simplified approach to providing application-level proof-of-possession 
> protections for OAuth 2.0 access tokens and refresh tokens.  This approach is 
> called OAuth 2.0 Demonstration of Proof-of-Possession at the Application 
> Layer (DPoP).  Among other benefits, it does not require a complicated and 
> error-prone procedure for signing HTTP requests, as some past approaches have.
>  
> However, the DPoP specification to date has assumed that the client is using 
> the OAuth authorization code flow.  As promised at the last IETF meeting, 
> we’ve now published a simple companion specification that describes how DPoP 
> can be used with the OAuth implicit flow – in which access tokens are 
> returned directly from the authorization endpoint.  The specification is 
> mercifully brief because very little had to be added to supplement the 
> existing DPoP spec to enable use of DPoP with the implicit flow.  Thanks to 
> Brian Campbell and John Bradley for whiteboarding this solution with me.
>  
> Finally, in a related development, it was decided during the OAuth virtual 
> interim meeting today to call for working group adoption of the core DPoP 
> draft.  That’s an important step on the journey towards making it a standard.
>  
> The specification is available at:
> https://tools.ietf.org/html/draft-jones-oauth-dpop-implicit-00
>  
> An HTML-formatted version is also available at:
> https://self-issued.info/docs/draft-jones-oauth-dpop-implicit-00.html
>  
>                                                        -- Mike
>  
> P.S.  This notice was also posted at https://self-issued.info/?p=2063 and as 
> @selfissued.
>  
> _______________________________________________
> OAuth mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to