In considering how to add DPoP binding into the Identity Assertion JWT Authorization Grant, we realized the current RFC7523 defines JWT Authorization Grants as bearer tokens, requiring the use of `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`
https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 This seemingly precludes the use of DPoP since it would no longer be a JWT bearer token. To resolve this, I wrote a small draft that defines `urn:ietf:params:oauth:grant-type:jwt-dpop` and adds DPoP processing rules on top of RFC7523. You can find the new draft here: https://datatracker.ietf.org/doc/draft-parecki-oauth-jwt-dpop-grant/ --- Aaron Parecki
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
