Dear Aaron, In Section 4, you are saying "[...] 3. The authorization server MUST verify that the JWT assertion contains a cnf claim as defined in [RFC7800]. This cnf claim MUST contain a jwk property representing a public key"
However, DPoP RFC defines the following in section 6.1: "When access tokens are represented as JWTs [RFC7519 <https://www.rfc-editor.org/rfc/rfc9449.html#RFC7519>], the public key information is represented using the jkt confirmation method member defined herein." Then it defines jkt which is the base64url encoded of the sha-256 thumbprint of the JWK. I believe that section 4 of your draft should be adapted accordingly. Best, Nikos On Sat, Oct 18, 2025 at 7:05 PM Aaron Parecki <aaron= [email protected]> wrote: > In considering how to add DPoP binding into the Identity Assertion JWT > Authorization Grant, we realized the current RFC7523 defines JWT > Authorization Grants as bearer tokens, requiring the use of > `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer` > > https://datatracker.ietf.org/doc/html/rfc7523#section-2.1 > > This seemingly precludes the use of DPoP since it would no longer be a JWT > bearer token. > > To resolve this, I wrote a small draft that defines > `urn:ietf:params:oauth:grant-type:jwt-dpop` and adds DPoP processing rules > on top of RFC7523. You can find the new draft here: > > https://datatracker.ietf.org/doc/draft-parecki-oauth-jwt-dpop-grant/ > > --- > Aaron Parecki > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
