There are no plans to introduce client registration metadata for DPoP - the requirement to use DPoP is more of a property of a resource so I don't think registration metadata for a client fits very well.
On Tue, Oct 26, 2021 at 8:53 AM Dmitry Telegin <dmitryt= [email protected]> wrote: > For dynamically registered clients, there is currently no way to indicate > the intention to use DPoP. Hence, it's completely up to the AS whether to > enforce DPoP or not on such clients (for example, using client registration > policies). > > Seems like there is no common approach here; for example, RFC 8705 (OAuth > 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) > does define client registration metadata (see section 9.5), whilst RFC 7636 > (PKCE) does not. I guess this is due to PKCE being initially conceived as a > feature that would become mandatory in OAuth 2.1. > > Are there any plans to introduce client registration metadata for DPoP? > > Regards, > Dmitry > Backbase > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
