[OAUTH-WG] DPoP introspection not including verification
Hey I was reading over RFC 9449 and was surprised that introspection did not take the DPoP header so that the introspection endpoint could do the check on the DPoP proof rather than forcing the Resource Server to do it. https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- Curious what was the reasoning behind this? /Dick ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] DPoP introspection not including verification
While I don’t have an answer for the question asked, I do want to note that in order to do a proper validation, the introspection request would have to include the values of the DPoP proof, but also the expected HTM and HTU values from the RS, as the AS would not know these directly. — Justin On Mar 10, 2024, at 4:05 PM, Dick Hardt wrote: Hey I was reading over RFC 9449 and was surprised that introspection did not take the DPoP header so that the introspection endpoint could do the check on the DPoP proof rather than forcing the Resource Server to do it. https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- Curious what was the reasoning behind this? /Dick ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
Re: [OAUTH-WG] DPoP introspection not including verification
Understood On Thu, Mar 14, 2024 at 9:58 PM Justin Richer wrote: > While I don’t have an answer for the question asked, I do want to note > that in order to do a proper validation, the introspection request would > have to include the values of the DPoP proof, but also the expected HTM and > HTU values from the RS, as the AS would not know these directly. > > — Justin > > On Mar 10, 2024, at 4:05 PM, Dick Hardt wrote: > > Hey > > I was reading over RFC 9449 and was surprised that introspection did not > take the DPoP header so that the introspection endpoint could do the check > on the DPoP proof rather than forcing the Resource Server to do it. > > > https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation- > > Curious what was the reasoning behind this? > > /Dick > > ___ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
