Hi George,
the main reason for this is to facilitate a client implementation that
always sends the same kind of proof. For the client, there's no need to
distinguish between token request, resource request, or even PAR
request. Even though the key would only be needed once, of course.
-Daniel
Am 17.02.22 um 14:57 schrieb George Fletcher:
Hi,
I'm going to expose my ignorance here... but what is the rationale for
requiring the public key in every DPoP proof? Is there a security
reason? or is it for ease of development? If large RSA keys are being
used, that public key is rather large for sending with every request
when even a fingerprint of the key would suffice to identify it.
From my reading of the spec, there isn't a way for a server that wants
to remember the public key in backend session state to optimize the proof.
Thanks,
George
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
