3. Concept
The main data structure introduced by this specification is a DPoP proof JWT that is sent as a header in an HTTP request, as described in detail below. A client uses a DPoP proof JWT to prove the possession of a private key corresponding to a certain public key.
Roughly speaking, a DPoP proof is a signature over:
-
some data of the HTTP request to which it is attached,
-
a timestamp,
-
a unique identifier,
-
an optional server-provided nonce, and
-
a hash of the associated access token when an access token is present within the request.
+--------+ +---------------+
| |--(A)-- Token Request ------------------->| |
| Client | (DPoP Proof) | Authorization |
| | | Server |
| |<-(B)-- DPoP-Bound Access Token ----------| |
| | (token_type=DPoP) +---------------+
| |
| |
| | +---------------+
| |--(C)-- DPoP-Bound Access Token --------->| |
| | (DPoP Proof) | Resource |
| | | Server |
| |<-(D)-- Protected Resource ---------------| |
| | +---------------+
+--------+
Figure 1: Basic DPoP Flow
The basic steps of an OAuth flow with DPoP (without the optional nonce) are shown in Figure 1.
A. In the token request, the client sends an authorization grant (e.g., an authorization code, refresh token, etc.) to the authorization server in order to obtain an access token (and potentially a refresh token). The client attaches a DPoP proof to the request in an HTTP header.
B. The authorization server binds (sender-constrains) the access token to the public key claimed by the client in the DPoP proof; that is, the access token cannot be used without proving possession of the respective private key. If a refresh token is issued to a public client, it is also bound to the public key of the DPoP proof.
C. To use the access token, the client has to prove possession of the private key by, again, adding a header to the request that carries a DPoP proof for that request. The resource server needs to receive information about the public key to which the access token is bound. This information may be encoded directly into the access token (for JWT-structured access tokens) or provided via token introspection endpoint (not shown). The resource server verifies that the public key to which the access token is bound matches the public key of the DPoP proof. It also verifies that the access token hash in the DPoP proof matches the access token presented in the request.
D. The resource server refuses to serve the request if the signature check fails or if the data in the DPoP proof is wrong, e.g., the target URI does not match the URI claim in the DPoP proof JWT. The access token itself, of course, must also be valid in all other respects.
The DPoP mechanism presented herein is not a client authentication method. In fact, a primary use case of DPoP is for public clients (e.g., single-page applications and applications on a user's device) that do not use client authentication. Nonetheless, DPoP is designed to be compatible with private_key_jwt and all other client authentication methods.
DPoP does not directly ensure message integrity, but it relies on the TLS layer for that purpose. See Section 11 for details.