Mike, What was the reason for creating a separate draft for this? Why cannot this be folded into the exiting DPoP draft?
Regards, Rifaat On Mon, Mar 9, 2020 at 8:12 PM Mike Jones <Michael.Jones= [email protected]> wrote: > As I previously described <https://self-issued.info/?p=1967>, members of > the OAuth working group have developed a simplified approach to providing > application-level proof-of-possession protections for OAuth 2.0 access > tokens and refresh tokens. This approach is called OAuth 2.0 Demonstration > of Proof-of-Possession at the Application Layer (DPoP). Among other > benefits, it does not require a complicated and error-prone procedure for > signing HTTP requests, as some past approaches have. > > > > However, the DPoP specification to date has assumed that the client is > using the OAuth authorization code flow. As promised at the last IETF > meeting, we’ve now published a simple companion specification that > describes how DPoP can be used with the OAuth implicit flow – in which > access tokens are returned directly from the authorization endpoint. The > specification is mercifully brief because very little had to be added to > supplement the existing DPoP spec to enable use of DPoP with the implicit > flow. Thanks to Brian Campbell and John Bradley for whiteboarding this > solution with me. > > > > Finally, in a related development, it was decided during the OAuth virtual > interim meeting today to call for working group adoption of the core DPoP > draft. That’s an important step on the journey towards making it a > standard. > > > > The specification is available at: > > - https://tools.ietf.org/html/draft-jones-oauth-dpop-implicit-00 > > > > An HTML-formatted version is also available at: > > - https://self-issued.info/docs/draft-jones-oauth-dpop-implicit-00.html > > > > -- Mike > > > > P.S. This notice was also posted at https://self-issued.info/?p=2063 and > as @selfissued <https://twitter.com/selfissued>. > > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
