Technical Summary
This document describes a mechanism for sender-constraining OAuth 2.0
tokens via a proof-of-possession mechanism on the application level.
This mechanism allows for the detection of replay attacks with access
and refresh tokens.
Working Group Summary
A large number of people reviewed the document over several rounds of reviews
and provided feedback during meetings and on the mailing list, with no
blocking comments.
Important clarifications to the document were made based on IETF LC.
Document Quality
There are a number of implementations:
* The OpenID Foundation FAPI2 certification tools have implementations of /
tests
for (most of) DPoP as both an AS/RS & client.
* Authlete has implemented DPoP as an AS / RS.
* The Italian Attribute Authorization Infrastructure has an implementation
https://docs.google.com/document/d/11KQPEs7sln7DbxLN7r7q3j2PymBSrYNlx5o-W3xHQsw/edit#
* liboauth2 library used in OAuth 2.0 Resource Server modules for Apache/NGINX
(mod_oauth2/ngx_oauth2_module)
https://github.com/zmartzone/liboauth2/blob/v1.4.5/src/dpop.c#L331-L441
* OSS Nimbus OAuth 2.0 / OIDC Java SDK
https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/dpop
* c2id server
https://connect2id.com/products/server/docs/datasheet#dpop
* Synamedia has implemented DPoP in OTT ServiceGuard - Advanced anti-piracy
security for OTT video services, that includes a secure client library
providing DPoP generation capabilities to an integrating application. Synamedia
also supports DPoP as part of Synamedia Go – using an Integrated OTT
ServiceGuard library in its clients and DPoP validation in its services to
provide a secure modular platform for OTT video services.
* European Anti-Fraud Office (OLAF) defined a B2B solution for private clients
based on the DPoP draft version 03. The solution describes the behavior of the
Relying Party and the Resource Server. Implemented both RP and RS in JAVA
extending the Spring Framework to add the needed functionalities.
* Keycloak: https://www.keycloak.org/
DPoP status: work in progress (tentatively Keycloak 22)
* Solid
Servers:
- Community Solid Server (opensource):
https://github.com/CommunitySolidServer/CommunitySolidServer - Enterprise Solid
Server (commercial): https://www.inrupt.com/products/enterprise-solid-server
Client libraries:
- JavaScript: https://github.com/inrupt/solid-client-authn-js/
- Java: https://github.com/janeirodigital/sai-authentication-java
Note about Solid: it seems that they are following an older version of the
draft, and have some added behaviour not specified by the draft
Personnel
- Document Shepherd: Rifaat Shekh-Yusef
- Responsible Area Director: Roman Danyliw