Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

Thanks Dick. On Tue, Dec 1, 2020 at 1:43 PM Dick Hardt wrote: > I have 2 suggestions for the draft that I beleive address the issues Denis > is bringing up: > > 1) call out that a DPoP proof can only be used once, and a new DPoP proof > is needed for every API call. Apologies if that is in the

Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

I have 2 suggestions for the draft that I beleive address the issues Denis is bringing up: 1) call out that a DPoP proof can only be used once, and a new DPoP proof is needed for every API call. Apologies if that is in the text -- but I could not find it doing a skim over the document. 2)

Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

So what you are proposing is that the time window in which an RS accepts the DPoP proof is defined by the expiration time of the access token? DPoP proofs are intended to be generally be short-lived and fresh for each request in order to provide some level of replay protection. There is no point

Re: [OAUTH-WG] Reminder - Interim Meeting to discuss DPoP

Hi  Brian, Hi Denis, The choice to use "iat" vs. "exp" was made in the summer of last year. You can see some of the discussion from then in https://github.com/danielfett/draft-dpop/issues/38 . I believe it pretty well has consensus at this