Binding the token would be required for OAuth or Connect to meet the SP800-63 FAL3 requirements.
Something like DPoP might work. I don't think DPoP itself should directly add support. I don't know if people really care about FAL3, unfourtunatly the simple solution of using token-binding seems quite dead in browsers. John B. On Fri, Jul 16, 2021, 12:29 PM Justin Richer <jric...@mit.edu> wrote: > I personally hope we don’t. JAR already gives us signed requests at the > authorization endpoint, though the last piece would be binding the token. > > — Justin > > > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin <dmitryt= > 40backbase....@dmarc.ietf.org> wrote: > > > > Hi, > > > > The DPoP spec currently defines how to obtain a DPoP-bound token via > token endpoint invocations (namely, authorization_code and refresh_token > grants). But it is also possible to obtain access token prior to > code-to-token exchange, via OAuth implicit/hybrid flows. > > > > Do we have any plans to support DPoP in authorization endpoint (in > addition to token endpoint) and implicit/hybrid flows? Is yes, what it > might look like? a "dpop" request parameter or a "DPoP" header? > > > > Regards, > > Dmitry > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
