Skip to content

Update auth_session binding requirements #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aaronpk merged 4 commits into from
Feb 27, 2026
Merged

Update auth_session binding requirements #149

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
566df8f
Update auth_session binding requirements
aaronpk Feb 20, 2026
b5fc39c
Merge branch 'main' into aaronpk-patch-3
aaronpk Feb 27, 2026
a9c2ae9
Apply suggestion from @aaronpk
aaronpk Feb 27, 2026
483c1b3
Apply suggestion from @aaronpk
aaronpk Feb 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions draft-ietf-oauth-first-party-apps.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -468,7 +468,7 @@ If the client has an `auth_session`, the client MUST include it in future reques

Every response defined by this specification may include a new `auth_session` value. Clients MUST NOT assume that `auth_session` values are static, and MUST be prepared to update the stored `auth_session` value if one is received in a response.

To mitigate the risk of session hijacking, the `auth_session` MUST be bound to the device, and the authorization server MUST reject an `auth_session` if it is presented from a different device than the one it was bound to.
To mitigate the risk of session hijacking, the `auth_session` SHOULD be bound to the device, and the authorization server SHOULD reject an `auth_session` if it is presented from a different device than the one it was bound to. One method of binding the `auth_session` to the device is described in {{auth-session-dpop}}.

The AS MUST ensure that the `auth_session` value is unique to the session and protected from accidental collisions.
For example, if the AS is using a random string for the `auth_session` value, the value SHOULD have a minimum of 256 bits of entropy.
Expand Down Expand Up @@ -616,9 +616,12 @@ It may be possible to use other proof of possession mechanisms to sender constra

## Auth Session {#auth-session-security}


Binding the `auth_session` to the device requesting authorization is important to prevent session hijacking and replay of the `auth_session` value. Without the device binding a captured `auth_session` could be replayed from another device. The following section describes one way to bind the `auth_session` to the requesting device. Other device binding methods are available and useable to prevent this potential security exposure.

### Auth Session DPoP Binding
### Auth Session DPoP Binding {#auth-session-dpop}

Binding the `auth_session` to the device requesting authorization is important to prevent session hijacking and replay of the `auth_session` value. Without the device binding a captured `auth_session` could be replayed from another device. The following section describes one way to bind the `auth_session` to the requesting device. Other device binding methods are available and useable to prevent this potential security exposure.

If the client and authorization server are using DPoP binding of access tokens and/or authorization codes, then the `auth_session` value SHOULD be protected as well. The authorization server SHOULD associate the `auth_session` value with the DPoP public key. This removes the need for the authorization server to include additional claims in the DPoP proof, while still benefitting from the assurance that the client presenting the proof has control over the DPoP key. To associate the `auth_session` value with the DPoP public key, the authorization server:

Expand Down