Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Brian Campbell <> Wed, 27 November 2019 19:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7BC8A1209F3 for <>; Wed, 27 Nov 2019 11:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SJ2zbLkxTrwC for <>; Wed, 27 Nov 2019 11:59:37 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A982812097A for <>; Wed, 27 Nov 2019 11:59:36 -0800 (PST)
Received: by with SMTP id e28so1635547ljo.9 for <>; Wed, 27 Nov 2019 11:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OfwjhDdqcisltI1cbeFj3sXIu4Psw9ioY9euZQpFlc4=; b=F20cQPeBcXkFwnKZcVmRsihqm2srz2PaN9MCk38/07mpkhIZwuZRb2ZQzx1j00TRDU VJAOiuhdMEb2JZ/0eubOtJ/+ZgsBZTAsjvrHrr/2UpjzNKWVD/XfWNh+fdoyNm7S7Fsi DaINpqkwyV4aL3W1pnJOWBindPBqoyDSQDzB2pP3sXap9+g7AuIfPpYdbvpP5ELkl2Ia UZYyHqymRkpGknbRYsiJpygLe9BWSrTLNbgJ2gWjU+aJCGCgnDsbPzwdoTn6xFmaRBrG uXrnpDoaUUSYDKXkyFnpMzAcu5xCnRdR8RAVl7GhWW82NBD153A85fwDXLXC6ZEXvu0i qJWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OfwjhDdqcisltI1cbeFj3sXIu4Psw9ioY9euZQpFlc4=; b=Ya5PgMeAI63yEnCd6UW1Gv24bl2JY5BNuETO1Bnev8GcLfZKfnLVD6DWsg4WAPVUUw 9VG1DUEx9bnsFlyXG0/9qj2In7xeXCrVdvbwD267Jx6RRpeOzoOHr8NnICDCC+Yzfuh3 pQtQkod0bus5qfQx5OhrN/5zc5P7znyeZxVdk4x0BbTn5WqPwrqfCAoa44M0btvxI0yb Sj+ywraQVaMPRyTcxDSSteCYRzxfLsaVHZKjeocmmOD7tSj16Tp5xEYBJ/XmM1k9oW7T dG23IW5YDa2ARawYTL3t8Jwi+ylLwh6G9z+JFrGmN7fPljabQmoK4HwtWJXKFeAWSHbX tNaQ==
X-Gm-Message-State: APjAAAXsS3Bx6idRYeZHxjSGFm3t13lSrZFU95dUhXrtW/oTz94UOvMP X8ih0dMyPWLXte3O3/R0QU2OD5rTIEJDHWmxu5R1VUpYWSEEutVRRYpsU6CcPDd8wHafW1Fgf3+ bEnRSw5PEt2uFPA==
X-Google-Smtp-Source: APXvYqyKMbGJqS0qwdSZYMypM1uf9KmVLO5j6zOZ6MZVUv73CHpedgpMwTrwcWvs+lwyAnR3KAVdiopgmkHKJRfN6nQ=
X-Received: by 2002:a2e:8885:: with SMTP id k5mr15616257lji.98.1574884775033; Wed, 27 Nov 2019 11:59:35 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Wed, 27 Nov 2019 12:59:07 -0700
Message-ID: <>
To: "Richard Backman, Annabelle" <>
Cc: Neil Madden <>, oauth <>
Content-Type: multipart/alternative; boundary="00000000000095633c0598596f5d"
Archived-At: <>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Nov 2019 19:59:39 -0000

On Tue, Nov 26, 2019 at 6:26 PM Richard Backman, Annabelle <> wrote:

> > That’s not directly attached to the access token. This means that every
> RS has to know about DPoP.
> True, but you could avoid that by embedding the access token in the DPoP
> proof (similar to draft-ietf-oauth-signed-http-request) and sending that as
> the sole token. Technically, that’s no longer a bearer token so sending it
> as “Authorization: bearer <token>” would be wrong, but DPoP already commits
> that sin.

To clairy FWIW the current DPoP draft doesn't commit that sin. It uses
“Authorization: dpop <access-token>” and "DPoP: <DPoP-proof-JWT>" headers.
There were some examples attempting to illustrate how all the pieces of the
proposal worked, including this particular part, in the slides I had for
Singapore. But unfortunately I never made it past slide #6.

On the other hand the OAuth MTLS draft does commit said sin. But it was
intentional with the aim of easing adoption/migration to it.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._