The draft currently focuses on DPoP support in Authorization endpoint and Token endpoint (authorization code grant + refresh token grant). The concept, however, could be extrapolated to several other endpoints, grant types and OAuth2 extensions: - ROPC (RFC 6749 section 1.3.3); - OAuth 2.0 Token Exchange (RFC 8693); - OAuth 2.0 Extension Grants (RFC 6749 section 4.5); - OAuth 2.0 Token Revocation (RFC 7009); - OpenID Connect
(As for the latter, the UserInfo endpoint is introduced, which is an OAuth 2.0 protected resource conforming to OAuth 2.0 Bearer Token Usage (RFC 6750). However, UserInfo is different from the traditional protected resources in having no advance knowledge on whether DPoP should be enforced or not (until the incoming token is processed), hence the need to advertise both "Bearer" and "DPoP" schemes via WWW-Authenticate.) Would it make sense to mention these relations in the spec? Regards, Dmitry Backbase
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
