As described during the OAuth Security Workshop session on DPoP, I created a pull request adding the dpop_jkt authorization request parameter to use for binding the authorization code to the client's DPoP key. See https://github.com/danielfett/draft-dpop/pull/89.
This is an alternative to https://github.com/danielfett/draft-dpop/pull/86, which achieved this binding using a new DPoP PKCE method. Using this alternative allows PKCE implementations to be unmodified, while adding DPoP in new code, which may be an advantage in some deployments. Please review and comment. Note that I plan to add more of the attack description written by Pieter Kasselman to the security considerations in a future commit. This attack description was sent by Pieter yesterday in a message with the subject "Authorization Code Log File Attack (was DPoP Interim Meeting Minutes)". -- Mike
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
