{"id":2254,"date":"2022-02-20T22:34:32","date_gmt":"2022-02-21T06:34:32","guid":{"rendered":"https:\/\/self-issued.info\/?p=2254"},"modified":"2022-03-03T10:32:23","modified_gmt":"2022-03-03T18:32:23","slug":"four-months-of-refinements-to-oauth-dpop","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=2254","title":{"rendered":"Four Months of Refinements to OAuth DPoP"},"content":{"rendered":"<p><span class=\"plain\"><img decoding=\"async\" align=\"right\" alt=\"OAuth logo\" src=\"https:\/\/self-issued.info\/images\/oauth_logo_120x120.png\"><\/span>A new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months&#8217; worth of great review comments from the working group.  Refinements made were:<\/p>\n<ul>\n<li>Added Authorization Code binding via the <code>dpop_jkt<\/code> parameter.<\/li>\n<li>Described the authorization code reuse attack and how <code>dpop_jkt<\/code> mitigates it.<\/li>\n<li>Enhanced description of DPoP proof expiration checking.<\/li>\n<li>Described nonce storage requirements and how nonce mismatches and missing nonces are self-correcting.<\/li>\n<li>Specified the use of the <code>use_dpop_nonce<\/code> error for missing and mismatched nonce values.<\/li>\n<li>Specified that authorization servers use <code>400<\/code> (Bad Request) errors to supply nonces and resource servers use <code>401<\/code> (Unauthorized) errors to do so.<\/li>\n<li>Added a bit more about <code>ath<\/code> and pre-generated proofs to the security considerations.<\/li>\n<li>Mentioned confirming the DPoP binding of the access token in the list in (#checking).<\/li>\n<li>Added the <code>always_uses_dpop<\/code> client registration metadata parameter.<\/li>\n<li>Described the relationship between DPoP and Pushed Authorization Requests (PAR).<\/li>\n<li>Updated references for drafts that are now RFCs.<\/li>\n<\/ul>\n<p>I believe this brings us much closer to a final version.<\/p>\n<p>The specification is available at:<\/p>\n<ul>\n<li><a href=\"https:\/\/tools.ietf.org\/id\/draft-ietf-oauth-dpop-05.html\">https:\/\/tools.ietf.org\/id\/draft-ietf-oauth-dpop-05.html<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months&#8217; worth of great review comments from the working group. Refinements made were: Added Authorization Code binding via the dpop_jkt parameter. Described the authorization code reuse attack and how dpop_jkt mitigates it. Enhanced [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,26,25],"tags":[],"class_list":["post-2254","post","type-post","status-publish","format-standard","hentry","category-ietf","category-oauth","category-specifications"],"_links":{"self":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2254"}],"version-history":[{"count":2,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2254\/revisions"}],"predecessor-version":[{"id":2257,"href":"https:\/\/self-issued.info\/index.php?rest_route=\/wp\/v2\/posts\/2254\/revisions\/2257"}],"wp:attachment":[{"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/self-issued.info\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}