{"id":2417,"date":"2023-09-07T17:16:47","date_gmt":"2023-09-08T00:16:47","guid":{"rendered":"https:\/\/self-issued.info\/?p=2417"},"modified":"2025-05-20T09:35:22","modified_gmt":"2025-05-20T16:35:22","slug":"oauth-2-0-demonstrating-proof-of-possession-dpop-is-now-rfc-9449","status":"publish","type":"post","link":"https:\/\/self-issued.info\/?p=2417","title":{"rendered":"OAuth 2.0 Demonstrating Proof of Possession (DPoP) is now RFC 9449"},"content":{"rendered":"

\"OAuth<\/span>The OAuth 2.0 Demonstrating Proof of Possession (DPoP) specification has been published as RFC 9449<\/a>! As Vittorio Bertocci wrote<\/a>, “One of the specs with the highest potential for (positive) impact in recent years.” I couldn’t agree more!<\/p>\n

The concise abstract says it all:<\/p>\n

\nThis document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.<\/p><\/blockquote>\n

As I described in my 2022 Identiverse presentation on DPoP<\/a> it’s been a Long and Winding Road to get here. Efforts at providing practical proof of possession protection for tokens have included:<\/p>\n