https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html#name-dpop-access-token-request is pretty clear (I think?) that DPoP is applicable with all token endpoint requests of any grant type.
I don't know what would be said about Token Revocation. I'm not seeing the UserInfo endpoint as being different enough to need any special treatment or discussion. But maybe that's just because I'm not sure what it would say. On Wed, Oct 27, 2021 at 7:49 AM Dmitry Telegin <dmitryt= 40backbase....@dmarc.ietf.org> wrote: > The draft currently focuses on DPoP support in Authorization endpoint and > Token endpoint (authorization code grant + refresh token grant). The > concept, however, could be extrapolated to several other endpoints, grant > types and OAuth2 extensions: > - ROPC (RFC 6749 section 1.3.3); > - OAuth 2.0 Token Exchange (RFC 8693); > - OAuth 2.0 Extension Grants (RFC 6749 section 4.5); > - OAuth 2.0 Token Revocation (RFC 7009); > - OpenID Connect > > (As for the latter, the UserInfo endpoint is introduced, which is an OAuth > 2.0 protected resource conforming to OAuth 2.0 Bearer Token Usage (RFC > 6750). However, UserInfo is different from the traditional protected > resources in having no advance knowledge on whether DPoP should be enforced > or not (until the incoming token is processed), hence the need to advertise > both "Bearer" and "DPoP" schemes via WWW-Authenticate.) > > Would it make sense to mention these relations in the spec? > > Regards, > Dmitry > Backbase > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
