My first thought was to simply let the client send two DPoP JWTs, one for the submitted token and another for the requested token, and then find a way in the AS to figure out which is which, but then I found this in section 4.3.1:
To validate a DPoP proof, the receiving server MUST ensure that that there is not more than one |DPoP| HTTP request header field,
Thanks, Vladimir -- Vladimir Dzhuvinov
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
