Binding the access token is not required for FAL3. FAL has nothing to say about access tokens:
https://pages.nist.gov/800-63-FAQ/#q-c8 <https://pages.nist.gov/800-63-FAQ/#q-c8> FAL3 is about presenting proof of a key representing the user alongside an assertion representing the user. In OIDC this would mean something like the ID token having a key identifier inside of it and the RP prompting the user for the key. This has nothing to do with access tokens, or even calling an identity API like a UserInfo Endpoint. DPoP doesn’t help with any of that since DPoP is about access tokens. — Justin > On Jul 16, 2021, at 1:18 PM, John Bradley <ve7...@ve7jtb.com> wrote: > > Binding the token would be required for OAuth or Connect to meet the SP800-63 > FAL3 requirements. > > Something like DPoP might work. I don't think DPoP itself should directly > add support. > > I don't know if people really care about FAL3, unfourtunatly the simple > solution of using token-binding seems quite dead in browsers. > > John B. > > > > > > On Fri, Jul 16, 2021, 12:29 PM Justin Richer <jric...@mit.edu > <mailto:jric...@mit.edu>> wrote: > I personally hope we don’t. JAR already gives us signed requests at the > authorization endpoint, though the last piece would be binding the token. > > — Justin > > > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin > > <dmitryt=40backbase....@dmarc.ietf.org > > <mailto:40backbase....@dmarc.ietf.org>> wrote: > > > > Hi, > > > > The DPoP spec currently defines how to obtain a DPoP-bound token via token > > endpoint invocations (namely, authorization_code and refresh_token grants). > > But it is also possible to obtain access token prior to code-to-token > > exchange, via OAuth implicit/hybrid flows. > > > > Do we have any plans to support DPoP in authorization endpoint (in addition > > to token endpoint) and implicit/hybrid flows? Is yes, what it might look > > like? a "dpop" request parameter or a "DPoP" header? > > > > Regards, > > Dmitry > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
