As I previously described, members of the OAuth working group have developed a simplified approach to providing application-level proof-of-possession protections for OAuth 2.0 access tokens and refresh tokens. This approach is called OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP). Among other benefits, this approach does not require a complicated and error-prone procedure for signing HTTP requests, as some past approaches have.
However, the DPoP specification to date has assumed that the client is using the OAuth authorization code flow. As promised at the last IETF meeting, we’ve now published a simple companion specification that describes how DPoP can be used with the OAuth implicit flow — in which access tokens are returned directly from the authorization endpoint. The specification is mercifully brief because very little had to be added to supplement the existing DPoP spec to enable use of DPoP with the implicit flow. Thanks to Brian Campbell and John Bradley for whiteboarding this solution with me.
Finally, in a related development, it was decided during the OAuth virtual interim meeting today to call for working group adoption of the core DPoP draft. That’s an important step on the journey towards making it a standard.
The specification is available at:
An HTML-formatted version is also available at: