Skip to content

DPoP Optimisation#146

Open
tplooker wants to merge 1 commit intomainfrom
tl/dpop-optimisation
Open

DPoP Optimisation#146
tplooker wants to merge 1 commit intomainfrom
tl/dpop-optimisation

Conversation

@tplooker
Copy link
Collaborator

@tplooker tplooker commented Sep 5, 2025
edited
Loading

Initial draft at this proposal, things to discuss include

  • Whether we should consider instead of a _supported metadata flag defining another method for client authentication because otherwise an AS cannot force the optimisation in the event it would like to. Update see latest comment on PR
  • Unrelated but I noticed nbf is defined for the Client Attestation PoP when I dont think its required, suggest we remove this. Update created Remove nbf claim definition #181 to address
  • How should we handle challenge vs nonce in the DPoP proof, technically we could support both.

Fixes #69

tplooker
tplooker commented Sep 5, 2025
View reviewed changes
tplooker
tplooker commented Sep 9, 2025
View reviewed changes
draft-ietf-oauth-attestation-based-client-auth.md
3. There is no OAuth-Client-Attestation-PoP HTTP request header field present.

Provided the above conditions are meet the following additional rules apply:
1. The public key located in the DPoP proof MUST match the public key located in the `cnf` claim of the Client Attestation JWT.
Copy link
Collaborator Author

@tplooker tplooker Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we be more specific around how this matching should occur, e.g if both JWK use thumbprint etc?

tplooker
tplooker commented Sep 9, 2025
View reviewed changes
paulbastian
paulbastian requested changes Sep 12, 2025
View reviewed changes
@paulbastian
Copy link
Collaborator

paulbastian commented Sep 12, 2025

we're also missing the considerations for challenge/DPoP nonce

@panva
Copy link
Member

panva commented Sep 30, 2025

This should either

  • be required by AS to support when it supports both dpop and attest; or
  • be required when dpop and attestation is used together; or
  • not exist.

Anything towards the end of not having any AS support optionality.

I am supportive of this in theory but if its not MTI for the AS I would not bother implementing the client side for it.

@paulbastian
Copy link
Collaborator

paulbastian commented Oct 10, 2025

This should either

* be required by AS to support when it supports both dpop and attest; or

* be required when dpop and attestation is used together; or

* not exist.

Anything towards the end of not having any AS support optionality.

I am supportive of this in theory but if its not MTI for the AS I would not bother implementing the client side for it.

favorite direction would be to create two distinct token_endpoint_auth_methods, which could be independtly signaled using token_endpoint_auth_methods_supported, therefore leaving the AS the clear option to support either or both. What do you think about this option? @panva

@panva
Copy link
Member

panva commented Oct 10, 2025

@paulbastian yes that's acceptable (I think?).

@tplooker tplooker mentioned this pull request Oct 24, 2025
Open
@tplooker
Copy link
Collaborator Author

tplooker commented Feb 24, 2026

I agree with @panva I'm going to update the PR in the direction of making the combined mode required when the AS supports both DPoP and Client Attestation.

@matthieusieben matthieusieben mentioned this pull request Feb 24, 2026
Open
@tplooker tplooker mentioned this pull request Mar 2, 2026
Merged
@tplooker tplooker force-pushed the tl/dpop-optimisation branch from f4fb47b to 61d793e Compare March 2, 2026 03:43
@tplooker
Copy link
Collaborator Author

tplooker commented Mar 2, 2026

I've made a few changes to this PR

  1. Added language requiring that this mode is implemented if the AS also supports DPoP, I think this could be improved though to avoid duplication once usage at par and token endpoint #177 is merged.
  2. I reverted the changes that addressed issue Make iss optional in Client Attestation JWT #171 as remove iss from Client Attestation JWT #173 now resolves this and added a few suggestions to that PR instead.

@tplooker tplooker mentioned this pull request Mar 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulbastian paulbastian paulbastian requested changes

@c2bo c2bo Awaiting requested review from c2bo c2bo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Usecase: authenticating the key used for DPoP bound access tokens back to the client

3 participants

@tplooker @paulbastian @panva