Musings on Digital Identity

Month: February 2022

Four Months of Refinements to OAuth DPoP

OAuth logoA new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months’ worth of great review comments from the working group. Refinements made were:

  • Added Authorization Code binding via the dpop_jkt parameter.
  • Described the authorization code reuse attack and how dpop_jkt mitigates it.
  • Enhanced description of DPoP proof expiration checking.
  • Described nonce storage requirements and how nonce mismatches and missing nonces are self-correcting.
  • Specified the use of the use_dpop_nonce error for missing and mismatched nonce values.
  • Specified that authorization servers use 400 (Bad Request) errors to supply nonces and resource servers use 401 (Unauthorized) errors to do so.
  • Added a bit more about ath and pre-generated proofs to the security considerations.
  • Mentioned confirming the DPoP binding of the access token in the list in (#checking).
  • Added the always_uses_dpop client registration metadata parameter.
  • Described the relationship between DPoP and Pushed Authorization Requests (PAR).
  • Updated references for drafts that are now RFCs.

I believe this brings us much closer to a final version.

The specification is available at:

JWK Thumbprint URI Draft Addressing Working Group Last Call Comments

OAuth logoKristina Yasuda and I have published an updated JWK Thumbprint URI draft that addresses the OAuth Working Group Last Call (WGLC) comments received. Changes made were:

  • Added security considerations about multiple public keys coresponding to the same private key.
  • Added hash algorithm identifier after the JWK thumbprint URI prefix to make it explicit in a URI which hash algorithm is used.
  • Added reference to a registry for hash algorithm identifiers.
  • Added SHA-256 as a mandatory to implement hash algorithm to promote interoperability.
  • Acknowledged WGLC reviewers.

The specification is available at:

Powered by WordPress & Theme by Anders Norén