This week Brian Campbell published an updated OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) draft addressing the Area Director review comments received. Thanks to Roman Danyliw for his useful review!
As Brian wrote, updates in this version of the specifiation were:
- Updates from Roman Danyliw’s AD review
- DPoP-Nonce now included in HTTP header field registration request
- Fixed section reference to URI Scheme-Based Normalization
- Attempt to better describe the rationale for SHA-256 only and expectations for how hash algorithm agility would be achieved if needed in the future
- Elaborate on the use of multiple WWW-Authenticate challenges by protected resources
- Fix access token request examples that were missing a client_id
The specification is available at: