Skip to main content

OAuth 2.0 Demonstrating Proof of Possession (DPoP)

RFC 9449

  • Category: Standards Track
  • ISSN: 2070-1721
  • Authors: D. Fett (Authlete), B. Campbell (Ping Identity), J. Bradley (Yubico), T. Lodderstedt (Tuconic), M. Jones (Self-Issued Consulting), D. Waite (Ping Identity)
  • Date: September 2023

Abstract

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.

Status of This Memo

This is an Internet Standards Track document.

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc9449.

Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

  1. Introduction 1.1. Conventions and Terminology
  2. Objectives
  3. Concept
  4. DPoP Proof JWTs 4.1. The DPoP HTTP Header 4.2. DPoP Proof JWT Syntax 4.3. Checking DPoP Proofs
  5. DPoP Access Token Request 5.1. Authorization Server Metadata 5.2. Client Registration Metadata
  6. Public Key Confirmation 6.1. JWK Thumbprint Confirmation Method 6.2. JWK Thumbprint Confirmation Method in Token Introspection
  7. Protected Resource Access 7.1. The DPoP Authentication Scheme 7.2. Compatibility with the Bearer Authentication Scheme 7.3. Client Considerations
  8. Authorization Server-Provided Nonce 8.1. Nonce Syntax 8.2. Providing a New Nonce Value
  9. Resource Server-Provided Nonce
  10. Authorization Code Binding to a DPoP Key 10.1. DPoP with Pushed Authorization Requests
  11. Security Considerations 11.1. DPoP Proof Replay 11.2. DPoP Proof Pre-generation 11.3. DPoP Nonce Downgrade 11.4. Untrusted Code in the Client Context 11.5. Signed JWT Swapping 11.6. Signature Algorithms 11.7. Request Integrity 11.8. Access Token and Public Key Binding 11.9. Authorization Code and Public Key Binding 11.10. Hash Algorithm Agility 11.11. Binding to Client Identity
  12. IANA Considerations 12.1. OAuth Access Token Types Registration 12.2. OAuth Extensions Error Registration 12.3. OAuth Parameters Registration 12.4. HTTP Authentication Schemes Registration 12.5. Media Type Registration 12.6. JWT Confirmation Methods Registration 12.7. JSON Web Token Claims Registration 12.8. Hypertext Transfer Protocol (HTTP) Field Name Registration 12.9. OAuth Authorization Server Metadata Registration 12.10. OAuth Dynamic Client Registration Metadata
  13. References 13.1. Normative References 13.2. Informative References
Last updated on