A new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months’ worth of great review comments from the working group. Refinements made were:
- Added Authorization Code binding via the
- Described the authorization code reuse attack and how
- Enhanced description of DPoP proof expiration checking.
- Described nonce storage requirements and how nonce mismatches and missing nonces are self-correcting.
- Specified the use of the
use_dpop_nonceerror for missing and mismatched nonce values.
- Specified that authorization servers use
400(Bad Request) errors to supply nonces and resource servers use
401(Unauthorized) errors to do so.
- Added a bit more about
athand pre-generated proofs to the security considerations.
- Mentioned confirming the DPoP binding of the access token in the list in (#checking).
- Added the
always_uses_dpopclient registration metadata parameter.
- Described the relationship between DPoP and Pushed Authorization Requests (PAR).
- Updated references for drafts that are now RFCs.
I believe this brings us much closer to a final version.
The specification is available at: