The IESG has approved the following document: - 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)' (draft-ietf-oauth-dpop-16.txt) as Proposed Standard
This document is the product of the Web Authorization Protocol Working Group. The IESG contact persons are Paul Wouters and Roman Danyliw. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ Technical Summary This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. Working Group Summary A large number of people reviewed the document over several rounds of reviews and provided feedback during meetings and on the mailing list, with no blocking comments. Important clarifications to the document were made based on IETF LC. Document Quality There are a number of implementations: * The OpenID Foundation FAPI2 certification tools have implementations of / tests for (most of) DPoP as both an AS/RS & client. * Authlete has implemented DPoP as an AS / RS. * The Italian Attribute Authorization Infrastructure has an implementation https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/edit# * liboauth2 library used in OAuth 2.0 Resource Server modules for Apache/NGINX (mod_oauth2/ngx_oauth2_module) https://github.com/zmartzone/liboauth2/blob/v1.4.5/src/dpop.c#L331-L441 * OSS Nimbus OAuth 2.0 / OIDC Java SDK https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/dpop * c2id server https://connect2id.com/products/server/docs/datasheet#dpop * Synamedia has implemented DPoP in OTT ServiceGuard - Advanced anti-piracy security for OTT video services, that includes a secure client library providing DPoP generation capabilities to an integrating application. Synamedia also supports DPoP as part of Synamedia Go – using an Integrated OTT ServiceGuard library in its clients and DPoP validation in its services to provide a secure modular platform for OTT video services. * European Anti-Fraud Office (OLAF) defined a B2B solution for private clients based on the DPoP draft version 03. The solution describes the behavior of the Relying Party and the Resource Server. Implemented both RP and RS in JAVA extending the Spring Framework to add the needed functionalities. * Keycloak: https://www.keycloak.org/ DPoP status: work in progress (tentatively Keycloak 22) * Solid Servers: - Community Solid Server (opensource): https://github.com/CommunitySolidServer/CommunitySolidServer - Enterprise Solid Server (commercial): https://www.inrupt.com/products/enterprise-solid-server Client libraries: - JavaScript: https://github.com/inrupt/solid-client-authn-js/ - Java: https://github.com/janeirodigital/sai-authentication-java Note about Solid: it seems that they are following an older version of the draft, and have some added behaviour not specified by the draft Personnel - Document Shepherd: Rifaat Shekh-Yusef - Responsible Area Director: Roman Danyliw _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth