IETF Logo Mail Archive

[OAUTH-WG] Re: DPoP-bound JWT Authorization Grant

Brian Campbell <bcampbell@pingidentity.com> Tue, 28 October 2025 22:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id A41987DB06F6 for <oauth@mail2.ietf.org>; Tue, 28 Oct 2025 15:10:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oX5zG6VWJ10 for <oauth@mail2.ietf.org>; Tue, 28 Oct 2025 15:10:25 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 001CE7DB0646 for <oauth@ietf.org>; Tue, 28 Oct 2025 15:10:24 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id ada2fe7eead31-580144a31b0so4109099137.0 for <oauth@ietf.org>; Tue, 28 Oct 2025 15:10:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1761689424; x=1762294224; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Z6wosRjAyOJ/TIOSyG9uOGHMoIa1Rfrf6kGDRwUhnZs=; b=WDj9DyK6eWWAWU7uSqSULYJ952cke0kj9Je0MXDBF5uWSjYnq5DrHccSal4Q1YyyuY 0Vp2Q8ay+qPpePvIHRZ7G5HbI7NgYbUEJqPlM7CPXU6yFVcT4P8EzEVIQp/Gfds/nMTl XYI0eAf5eYCAQpJIrjQmeGoUYQTz+9efqwYjO5DuDe6VViEN8EZzhSmx0yLDNmYPH2TW 9XpxrSMkp+8/Dvg92fwIVtoX7C81BvU1rU/kLCnPzA4Sa/WyoTK6VA4eDGPrXStlU6a0 IHcfguvigTuV9G5KfnH2rtAEwfBt3GnUyAegqdHvXxavae0LW1653WcKIEFZgOq2mRv1 amzw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761689424; x=1762294224; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Z6wosRjAyOJ/TIOSyG9uOGHMoIa1Rfrf6kGDRwUhnZs=; b=vWWVpDFdFZXGI7mrU0KUs497CQ8PkdsMKmpLRULJyGxpcTVpVCoD7z3DbwcHnWAz5x 7dCDoRbk5dYbqHalThPR9HENCFreat30qgXJEMVYAKdN3yOONS7tAcfQPz/o3G0mg0b3 HaNoFfU3U1Fi+OA3JJ+p+XzEn+uxIhaM3SLsdnVoUvraeEPNxcos9DOk/H83LUV0khvc 07zhsudqA7ZbT4s/E6N1ZORtl3oU+c4xXoXuYOgei4+iI1GhydXaH7Fr3G9YtYU4Sky/ 24H1n+P4naNQNfz5IVdxNooEwVm8aoYPep5yoc9K0Xb3rYzjvVoAaQ/QdArgAWLErkKI zsXA==
X-Forwarded-Encrypted: i=1; AJvYcCVnGKodOBQo+siMfu5GwsP78VpjLhtTNupve4R7XDt8CvmTPJt+UBWLiOIsY0FrGR2Q/28ldw==@ietf.org
X-Gm-Message-State: AOJu0YyZCzgSlg8x1oyGIPJI1P9w4vCcSNB1mTUYgcp9EHR4K/XdazzX 24aCWxbSAD1NSqVz8o0cjrT7xlH0Ou94nqyIXQ93KNdUTqWnPuLvYHUe+sr49if/wDTxSdKOdIA Q4bzMneq+baVR7j4pkZ4/hUOMJMDmO02vxCxnE6OMNiPRq6EwbOlff71tXTULnjYM67BAIcReGb qUQmWlsHj6ZEORg3qGzMOtbeSVsWbdGg==
X-Gm-Gg: ASbGncuffgzEHTVVDNCT4Xw1K0QeJUsM773coFFjqQu3qXi4orHPGsbZB9vLcPtvxGO kI8IhPaSF/fa3ntC4PpeagUAiVkde7igPdMfjaQNtNQu1xSAdr39t/jbpnWysJp/ddJb9rWyklc xHQxxwh5LlW3Ipm5Rqn4wjYyI7ALfAXU4tce/KGqvGzzhpemzsLpfiCJmKT2HyQ2InS+28/AtfK EvrpFJa719f89OBrEm+GeHjPvPais+qCBkXYvfJHvS+JJK7kside+oz7OlBxg==
X-Google-Smtp-Source: AGHT+IGvGAfLyOmyBddjYLL/1P8WJ1eiBlvm468H+bBBb2H6gsjdzSSKv7RIfEpBkwGtSPcWiDybNUU22z+/ZZMaUm8=
X-Received: by 2002:a05:6102:2927:b0:59d:ad3:e1e4 with SMTP id ada2fe7eead31-5db90575883mr216907137.5.1761689424436; Tue, 28 Oct 2025 15:10:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjqbwG2+DMENHCSQ1Cevy32DOxChNr8=NLG_Te5VfFrKnQ@mail.gmail.com> <CAKCQpynCfHFtbvSsczYkTN-VgYAds7XrE1GmJtuBzib9de88aQ@mail.gmail.com>
In-Reply-To: <CAKCQpynCfHFtbvSsczYkTN-VgYAds7XrE1GmJtuBzib9de88aQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 28 Oct 2025 16:09:58 -0600
X-Gm-Features: AWmQ_bmoqLl-TtkkIIFQsrxiSa1wS1xBfHN33ONSkoTQB0Kdo5H0_FVccarfcjA
Message-ID: <CA+k3eCTnD9wjWHAV1W4gxz7t9g9LKjUjMUakysY3DJSD-P=cZA@mail.gmail.com>
To: Nikos Fotiou <nikosft@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000593abf06423f48b0"
Message-ID-Hash: MQEE7DFK3RSQKMWKRZTU4KO5S7565FRD
X-Message-ID-Hash: MQEE7DFK3RSQKMWKRZTU4KO5S7565FRD
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: DPoP-bound JWT Authorization Grant
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zT3lTP5ZCDJ0MdeR9m8kRnkz2z0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

DPoP does indeed use cnf.jkt to bind the access token to the DPoP key.
Unless there's a compelling reason to do differently (is there?), the JWT
Authorization Grant should probably use the same mechanism.

On Tue, Oct 28, 2025 at 12:20 PM Nikos Fotiou <nikosft@gmail.com> wrote:

> Dear Aaron,
> In Section 4, you are saying
> "[...] 3. The authorization server MUST verify that the JWT assertion
> contains a cnf claim as defined in [RFC7800].  This cnf claim
>  MUST contain a jwk property representing a public key"
>
> However, DPoP RFC defines the following in section 6.1:
> "When access tokens are represented as JWTs [RFC7519
> <https://www.rfc-editor.org/rfc/rfc9449.html#RFC7519>], the public key
> information is represented using the jkt confirmation method member
> defined herein." Then it defines jkt which is the base64url encoded of the
> sha-256 thumbprint of the JWK.
>
> I believe that section 4 of your draft should be adapted accordingly.
>
> Best,
> Nikos
>
>
>
> On Sat, Oct 18, 2025 at 7:05 PM Aaron Parecki <aaron=
> 40parecki.com@dmarc.ietf.org> wrote:
>
>> In considering how to add DPoP binding into the Identity Assertion JWT
>> Authorization Grant, we realized the current RFC7523 defines JWT
>> Authorization Grants as bearer tokens, requiring the use of
>> `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`
>>
>> https://datatracker.ietf.org/doc/html/rfc7523#section-2.1
>>
>> This seemingly precludes the use of DPoP since it would no longer be a
>> JWT bearer token.
>>
>> To resolve this, I wrote a small draft that defines
>> `urn:ietf:params:oauth:grant-type:jwt-dpop` and adds DPoP processing rules
>> on top of RFC7523. You can find the new draft here:
>>
>> https://datatracker.ietf.org/doc/draft-parecki-oauth-jwt-dpop-grant/
>>
>> ---
>> Aaron Parecki
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.40.4 | Report a Bug | By Email | System Status