Public clients can create their own ephemeral key (say, non-exportable keys made with WebCrypto) to have bound to the access and refresh tokens at issuance time. DPoP is independent of the client authentication to the AS.
-DW > On Oct 11, 2021, at 11:40 AM, Nikos Fotiou <[email protected]> wrote: > > Hi, > How do you believe DPoP will be implemented in a browser? In particular, how > the browser will retrieve client's private key and generate the appropriate > signature? Do you imagine interoperability with a specification such as > WenAuthN? Something else (e.g., DPoP-enabled "wallets")? > > Best, > Nikos > -- > Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou > Researcher - Mobile Multimedia Laboratory > Athens University of Economics and Business > https://mm.aueb.gr > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
