I’m not smart enough to remember in what context I might have said this, but
I’d hazard a guess it was somehow related to service mesh.
Generally, we allow both to be specified largely because of our support for
macaroon access tokens: a proxy could transparently add a mtls binding (for ex)
to
I would expect them to be able to co-exist in an implementation, but not both
be used on the same token. One of the implementations that I work on supports
both DPoP and MTLS on access tokens (as well as bearer tokens), and we use
metadata stored in the token objects to switch between these.
—
I think Neil commented once somewhere about maybe seeing value in both at
the same time. He's smarter than me so I don't like to contradict him. But
I've always thought of them as mutually exclusive. And
practically/pragmatically I think it really is one or the other.
On Fri, Nov 12, 2021 at 9:39
As an implementer of one binding mechanism (DPoP) for the AS (Keycloak)
that already features another (MTLS), I'm running into the question whether
we should allow those two to be used simultaneously (which could be of
course extrapolated to other hypothetical mechanisms). By "simultaneously"
I mea