[OAUTH-WG] DPoP and OAuth2 extensions
Dmitry Telegin <dmitryt@backbase.com> Wed, 27 October 2021 13:49 UTC
Return-Path: <dmitryt@backbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3E063A0BE9 for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 06:49:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=backbase.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id npaKeYDGVNIa for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 06:49:36 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465AA3A0BD3 for <oauth@ietf.org>; Wed, 27 Oct 2021 06:49:36 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id 17so1665323ljq.0 for <oauth@ietf.org>; Wed, 27 Oct 2021 06:49:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=backbase.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=/0ujl+ceQ2NOQKTydinXgjAmrelkgQMwQGH4N3uiVbA=; b=A5xVIfgI4uUlcI4+buy0TkV4i8CFZfel/9W3s2+MWCsXCP10pj+xmQgHe0Tfvk+UVk c3X70NNfRon8lkCEYCb1RGXFe+2c9KSUIRKtUl0vjczxRrcIwj49Y05XywxwhmbfjUSa lDDT4KdH6T3QlXzYzk4LtA4cxJc+JgTld41KpBg28z1E6eXrWaiAwKPI24ofYgYoqzJG fJvIyLSAM3Fj/gDHQsdGJ4u5D0tGjt4FPgr7UhSNPbXPzlyeXZRQG3mfuWl6gebTl32z /ZYv2G4SPibQd5wRTaaiBJZL0Gl8H8IL8TPwpBYPE5sbw6tDUieAJwjYnWFsugDCoVn8 ROwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=/0ujl+ceQ2NOQKTydinXgjAmrelkgQMwQGH4N3uiVbA=; b=EgTn8+gyX3mI0L5CtMzqkSqoC92t84CTzYPtoN3kJPe/sw3lH4iJrEyH7t8pT+ZbWL KuXcpXMEFdlKQFPPW1plMEXZQSkE0Zk68FscNJK5MwMCmQvjR8wuRJzC4TnhY+qPfAEK UxfWppy5yfYBFpvj7BZhXMO58Sa94JicYBpqe+O4AokOw9LNCoeSltMPbrdOd/5vfP8k ZOBak+K0I1jYBtvw6CJmzJUZIESlmCZQD9mj8CNhCqRC/XiWK3Erug3OQO02iaiOsplV 9IaBoBd0PTV2JiFxrBTDlOlvMPXmJTrd3N+FuKDDI3ceU4e5Ui9OLF+l694dCIWn0maL sg6g==
X-Gm-Message-State: AOAM530z/SBp7gjbiKypZovtXqSm/gSvyf7bp3gTzt6rIBz05SltA2ni yfrOoMGh4rDBFIhlWjtXLojG+xQo02WlhZuz+DIdMjChwPPSAw==
X-Google-Smtp-Source: ABdhPJw6fiTjCaL8UOzUtMRFHrwHCnpfQgSOx848cYdeJOXRfqw7pxJHzBILfb0rs9IMpUgd9NbUD+xC/8L8k4AKvNQ=
X-Received: by 2002:a05:651c:1112:: with SMTP id d18mr13192525ljo.443.1635342572520; Wed, 27 Oct 2021 06:49:32 -0700 (PDT)
MIME-Version: 1.0
From: Dmitry Telegin <dmitryt@backbase.com>
Date: Wed, 27 Oct 2021 16:49:21 +0300
Message-ID: <CAOtx8D=_ioCAaCpK5N3qEmEM8m2Hj0au0sjUvmsVq=Xg86nrKg@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001f277705cf55ddde"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PUsZrdN9gSaqXeVxaGchZzpDrUI>
Subject: [OAUTH-WG] DPoP and OAuth2 extensions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 13:49:42 -0000
The draft currently focuses on DPoP support in Authorization endpoint and Token endpoint (authorization code grant + refresh token grant). The concept, however, could be extrapolated to several other endpoints, grant types and OAuth2 extensions: - ROPC (RFC 6749 section 1.3.3); - OAuth 2.0 Token Exchange (RFC 8693); - OAuth 2.0 Extension Grants (RFC 6749 section 4.5); - OAuth 2.0 Token Revocation (RFC 7009); - OpenID Connect (As for the latter, the UserInfo endpoint is introduced, which is an OAuth 2.0 protected resource conforming to OAuth 2.0 Bearer Token Usage (RFC 6750). However, UserInfo is different from the traditional protected resources in having no advance knowledge on whether DPoP should be enforced or not (until the incoming token is processed), hence the need to advertise both "Bearer" and "DPoP" schemes via WWW-Authenticate.) Would it make sense to mention these relations in the spec? Regards, Dmitry Backbase
- [OAUTH-WG] DPoP and OAuth2 extensions Dmitry Telegin
- Re: [OAUTH-WG] DPoP and OAuth2 extensions Brian Campbell