It's probably better to post this question in the OIDC working group
email list or file an issue with OpenID Connect. I think it is an
interesting and relevant question.
OpenID Connect does define the 'private_secret_jwt' mechanism which can
be used for client authentication and could be bound with the access or
refresh token.
Thanks,
George
On 2/16/22 6:03 PM, Dmitry Telegin wrote:
Could we somehow clarify the relationship between DPoP and OIDC?
(sorry if this is the wrong ML)
For example, it's relatively obvious that the OIDC UserInfo should
support DPoP, as it is an OAuth 2.0 protected resource. What's not
obvious is that the WWW-Authenticate challenge (in case of 401) will
most likely contain multiple challenges (Bearer and DPoP), and it
could be a bit tricky from the browser compatibility PoV.
Another non-obvious thing is that ID tokens could be DPoP-bound as
well. Some technologies even rely on it, Solid-OIDC being a notable
example: https://solid.github.io/solid-oidc/#tokens-id
Dmitry
Backbase / Keycloak
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
