OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer


This post is by Mike Jones from Mike Jones: self-issued


Click here to view on the original site: Original Post




OAuth logoI’m excited that a new, simpler approach for application-level proof of possession of OAuth access tokens and refresh tokens is being developed by members of the IETF OAuth working group. The effort is led by Daniel Fett, who had previously done formal analysis of the OAuth protocol. I wanted to bring it to your attention now to solicit your early feedback. This approach was designed in discussions at the Fourth OAuth Security Workshop and is captured in a new individual draft specification for Demonstration of Proof-of-Possession (DPoP) intended for the OAuth working group. The abstract of the new specification is:

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows to detect replay attacks with access and refresh tokens.

The specification is still an early draft and undergoing active development, but I believe the approach shows a lot promise and is likely to be adopted by the OAuth working group soon. It works be creating a proof-of-possession signature over an access token or refresh token that would otherwise be a bearer token. And there’s already one implementation that I’m aware of – by Filip Skokan of Auth0. Let us know what you think of this new work!

The specification is available at:

An HTML-formatted version is also available at:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.