As of -03, the "ath" DPoP proof claim has been introduced: ath: hash of the access token (REQUIRED). The value MUST be the result of a > base64url encoding (with no padding) the SHA-256 hash of the ASCII encoding > of the associated access token's value. >
OpenID Connect has a similar concept used to bind ID token to access token: at_hash OPTIONAL. Access Token hash value. Its value is the base64url > encoding of the left-most half of the hash of the octets of the ASCII > representation of the access_token value, where the hash algorithm used > is the hash algorithm used in the alg Header Parameter of the ID Token's > JOSE Header. For instance, if the alg is RS256, hash the access_token > value with SHA-256, then take the left-most 128 bits and base64url encode > them. The at_hash value is a case sensitive string. > > OIDC derives the hashing algorithm from the token header, while DPoP uses SHA-256 unconditionally. OIDC uses the left-most half of the hash, while DPoP uses the whole hash. Would it make sense to be aligned with OIDC on this? Regards, Dmitry Backbase
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
