For dynamically registered clients, there is currently no way to indicate the intention to use DPoP. Hence, it's completely up to the AS whether to enforce DPoP or not on such clients (for example, using client registration policies).
Seems like there is no common approach here; for example, RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) does define client registration metadata (see section 9.5), whilst RFC 7636 (PKCE) does not. I guess this is due to PKCE being initially conceived as a feature that would become mandatory in OAuth 2.1. Are there any plans to introduce client registration metadata for DPoP? Regards, Dmitry Backbase
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
