On 28/03/2019 11:17, Daniel Fett wrote:
Hi all,I published the first version of the DPoP draft at https://tools.ietf.org/html/draft-fett-oauth-dpop-00Abstract This document defines a sender-constraint mechanism for OAuth 2.0 access tokens and refresh tokens utilizing an application-level proof-of-possession mechanism based on public/private key pairs.Thanks for the feedback I received so far from John, Mike, Torsten, and others during today's session or before!If you find any errors I would welcome if you open an issue in the GitHub repository at https://github.com/webhamster/draft-dpop- Daniel
A quick nit:in figure 3 you seem to be using the "jwk" claim to include the pop-key in the token. Any reason for not using the "cnf" claim from RFC 7800?
/Ludwig -- Ludwig Seitz, PhD Security Lab, RISE Phone +46(0)70-349 92 51
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth