%% You should probably cite draft-ietf-oauth-pop-key-distribution-07 instead of this revision. @techreport{ietf-oauth-pop-key-distribution-05, number = {draft-ietf-oauth-pop-key-distribution-05}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-oauth-pop-key-distribution/05/}, author = {John Bradley and Phil Hunt and Michael B. Jones and Hannes Tschofenig and Mihaly Meszaros}, title = {{OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution}}, pagetotal = 15, year = 2019, month = mar, day = 11, abstract = {RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource. This document describes how the client requests and obtains a PoP access token from the authorization server for use with HTTPS-based transport. Alternative transports, for example using the Constrained Application Protocol (CoAP), have been specified in companion specifications.}, }