OAuth 2.0 Demonstrating Proof of Possession (DPoP)
Draft of message to be sent after approval:
From: The IESG <firstname.lastname@example.org>
To: IETF-Announce <email@example.com>
Cc: The IESG <firstname.lastname@example.org>, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Subject: Protocol Action: 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)' to Proposed Standard (draft-ietf-oauth-dpop-16.txt)
The IESG has approved the following document:
- 'OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer
(draft-ietf-oauth-dpop-16.txt) as Proposed Standard
This document is the product of the Web Authorization Protocol Working Group.
The IESG contact persons are Paul Wouters and Roman Danyliw.
A URL of this Internet-Draft is:
This document describes a mechanism for sender-constraining OAuth 2.0
tokens via a proof-of-possession mechanism on the application level.
This mechanism allows for the detection of replay attacks with access
and refresh tokens.
Working Group Summary
A large number of people reviewed the document over several rounds of reviews
and provided feedback during meetings and on the mailing list, with no
Important clarifications to the document were made based on IETF LC.
There are a number of implementations:
* The OpenID Foundation FAPI2 certification tools have implementations of /
for (most of) DPoP as both an AS/RS & client.
* Authlete has implemented DPoP as an AS / RS.
* The Italian Attribute Authorization Infrastructure has an implementation
* liboauth2 library used in OAuth 2.0 Resource Server modules for Apache/NGINX
* OSS Nimbus OAuth 2.0 / OIDC Java SDK
* c2id server
* Synamedia has implemented DPoP in OTT ServiceGuard - Advanced anti-piracy
security for OTT video services, that includes a secure client library
providing DPoP generation capabilities to an integrating application. Synamedia
also supports DPoP as part of Synamedia Go – using an Integrated OTT
ServiceGuard library in its clients and DPoP validation in its services to
provide a secure modular platform for OTT video services.
* European Anti-Fraud Office (OLAF) defined a B2B solution for private clients
based on the DPoP draft version 03. The solution describes the behavior of the
Relying Party and the Resource Server. Implemented both RP and RS in JAVA
extending the Spring Framework to add the needed functionalities.
* Keycloak: https://www.keycloak.org/
DPoP status: work in progress (tentatively Keycloak 22)
- Community Solid Server (opensource):
https://github.com/CommunitySolidServer/CommunitySolidServer - Enterprise Solid
Server (commercial): https://www.inrupt.com/products/enterprise-solid-server
- Java: https://github.com/janeirodigital/sai-authentication-java
Note about Solid: it seems that they are following an older version of the
draft, and have some added behaviour not specified by the draft
- Document Shepherd: Rifaat Shekh-Yusef
- Responsible Area Director: Roman Danyliw
RFC Editor Note