Binding tokens issued directly from the authorization endpoint has been intentionally considered out of scope for the main DPoP draft.
This draft https://datatracker.ietf.org/doc/html/draft-jones-oauth-dpop-implicit-00 was written that explores what it might look like. But it hasn't seen a lot of interest or momentum. On Thu, Jul 15, 2021 at 4:47 PM Dmitry Telegin <dmitryt= 40backbase....@dmarc.ietf.org> wrote: > Hi, > > The DPoP spec currently defines how to obtain a DPoP-bound token via token > endpoint invocations (namely, authorization_code and refresh_token grants). > But it is also possible to obtain access token prior to code-to-token > exchange, via OAuth implicit/hybrid flows. > > Do we have any plans to support DPoP in authorization endpoint (in > addition to token endpoint) and implicit/hybrid flows? Is yes, what it > might look like? a "dpop" request parameter or a "DPoP" header? > > Regards, > Dmitry > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
