The token exchange specs a *subject_token* and an optional *actor_token*. If any of these are DPoP bound, say the *subject_token* is a DPoP access token, the client has to include the DPoP + ath proof in the request. The DPoP header in token requests (according to RFC 9449) is reserved to enable a DPoP binding for the issued token. This means a DPoP header will not work for the *subject* / *actor_token*. My preference has been to use a dedicated form parameter - *subject_token_dpop* and *actor_token_dpop* for this purpose.
Thoughts / comments on this?
https://datatracker.ietf.org/doc/html/draft-parecki-oauth-dpop-device-flow
-- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
