We have an open issue <https://github.com/oauth-wg/oauth-identity-assertion-authz-grant/issues/28> in token exchange with ID Assertion Authorization Grant <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-assertion-authz-grant> that was recently adopted to add support for DPOP so this is timely. We wanted to flow the key binding from the client's access token to the issued ID-JAG. OpenID Connect Key Binding <https://dickhardt.github.io/openid-key-binding/main.html>was also recently adopted in OIDF ab-connect WG which would allow for DPOP with ID Token as the subject token so we would need another param to support this use case. Your proposal of a new param makes sense and would be great to standardize so we don't define a different mechanism in ID-JAG.
-Karl On Mon, Oct 13, 2025 at 12:40 AM Vladimir Dzhuvinov | Connect2id < [email protected]> wrote: > The new document clarifying the use of DPoP with device grants is giving > me hope that we'll agree on a similar DPoP spec for the token exchange. > Have there been thoughts on this in the WG? > > The token exchange specs a *subject_token* and an optional *actor_token*. > If any of these are DPoP bound, say the *subject_token* is a DPoP access > token, the client has to include the DPoP + ath proof in the request. The > DPoP header in token requests (according to RFC 9449) is reserved to enable > a DPoP binding for the issued token. This means a DPoP header will not work > for the *subject* / * actor_token*. My preference has been to use a > dedicated form parameter - *subject_token_dpop* and *actor_token_dpop* for > this purpose. > > Thoughts / comments on this? > > > https://datatracker.ietf.org/doc/html/draft-parecki-oauth-dpop-device-flow > > -- > Vladimir Dzhuvinov > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
