[OAUTH-WG] Protocol Action: 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)' to Proposed Standard (draft-ietf-oauth-dpop-16.txt)

[The IESG <iesg-secretary@ietf.org>]

The IESG has approved the following document:
- 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer
   (DPoP)'
  (draft-ietf-oauth-dpop-16.txt) as Proposed Standard

This document is the product of the Web Authorization Protocol Working Group.

The IESG contact persons are Paul Wouters and Roman Danyliw.

A URL of this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/





Technical Summary

   This document describes a mechanism for sender-constraining OAuth 2.0
   tokens via a proof-of-possession mechanism on the application level.
   This mechanism allows for the detection of replay attacks with access
   and refresh tokens.

Working Group Summary

  A large number of people reviewed the document over several rounds of reviews
  and provided feedback during meetings and on the mailing list, with no
  blocking comments.

  Important clarifications to the document were made based on IETF LC.

Document Quality

There are a number of implementations:

* The OpenID Foundation FAPI2 certification tools have implementations of /
tests
  for (most of) DPoP as both an AS/RS & client.

* Authlete has implemented DPoP as an AS / RS.

* The Italian Attribute Authorization Infrastructure has an implementation
https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/edit#

* liboauth2 library used in OAuth 2.0 Resource Server modules for Apache/NGINX
(mod_oauth2/ngx_oauth2_module)
https://github.com/zmartzone/liboauth2/blob/v1.4.5/src/dpop.c#L331-L441

* OSS Nimbus OAuth 2.0 / OIDC Java SDK
https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/dpop

* c2id server
https://connect2id.com/products/server/docs/datasheet#dpop

* Synamedia has implemented DPoP in OTT ServiceGuard - Advanced anti-piracy
security for OTT video services, that includes a secure client library
providing DPoP generation capabilities to an integrating application. Synamedia
also supports DPoP as part of  Synamedia Go – using an Integrated OTT
ServiceGuard library in its clients and DPoP validation in its services to
provide a secure modular platform for OTT video services.

*  European Anti-Fraud Office (OLAF) defined a B2B solution for private clients
based on the DPoP draft version 03. The solution describes the behavior of the
Relying Party and the Resource Server. Implemented both RP and RS in JAVA
extending the Spring Framework to add the needed functionalities.

* Keycloak: https://www.keycloak.org/
DPoP status: work in progress (tentatively Keycloak 22)

* Solid
Servers:
- Community Solid Server (opensource):
https://github.com/CommunitySolidServer/CommunitySolidServer - Enterprise Solid
Server (commercial): https://www.inrupt.com/products/enterprise-solid-server

Client libraries:
- JavaScript: https://github.com/inrupt/solid-client-authn-js/
- Java: https://github.com/janeirodigital/sai-authentication-java

Note about Solid: it seems that they are following an older version of the
draft, and have some added behaviour not specified by the draft

Personnel

- Document Shepherd: Rifaat Shekh-Yusef
- Responsible Area Director: Roman Danyliw