I personally hope we don’t. JAR already gives us signed requests at the authorization endpoint, though the last piece would be binding the token.
— Justin > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin > <dmitryt=40backbase....@dmarc.ietf.org> wrote: > > Hi, > > The DPoP spec currently defines how to obtain a DPoP-bound token via token > endpoint invocations (namely, authorization_code and refresh_token grants). > But it is also possible to obtain access token prior to code-to-token > exchange, via OAuth implicit/hybrid flows. > > Do we have any plans to support DPoP in authorization endpoint (in addition > to token endpoint) and implicit/hybrid flows? Is yes, what it might look > like? a "dpop" request parameter or a "DPoP" header? > > Regards, > Dmitry > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
