Could we somehow clarify the relationship between DPoP and OIDC? (sorry if this is the wrong ML)
For example, it's relatively obvious that the OIDC UserInfo should support DPoP, as it is an OAuth 2.0 protected resource. What's not obvious is that the WWW-Authenticate challenge (in case of 401) will most likely contain multiple challenges (Bearer and DPoP), and it could be a bit tricky from the browser compatibility PoV. Another non-obvious thing is that ID tokens could be DPoP-bound as well. Some technologies even rely on it, Solid-OIDC being a notable example: https://solid.github.io/solid-oidc/#tokens-id Dmitry Backbase / Keycloak
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
