Hello Dmitry, TLDR: yes DPoP and Step-Up can be used together.
The first sentence in the section of step-up that describes the new bits for the WWW-Authenticate even explicitly mentions DPoP: https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-06.html#section-3 and other schemes that are like RFC 6750. The process of extending/building on RFC 6750 seemed pretty open ended when I looked at the details. There's a registry for the HTTP auth scheme and one for OAuth error codes. I did my best to define DPoP and step-up stuff, given what was already in place, in a reasonable way. And that should match more or less what you're looking for. I don't know specifics around conformance but I think that DPoP is being worked on or planned with the FAPI 2.0 tests. On Mon, Nov 14, 2022 at 5:42 PM Dmitry Telegin <dmitryt= 40backbase....@dmarc.ietf.org> wrote: > - DPoP and Step-Up (hello Brian :) > > TL;DR: can we use DPoP and Step-Up together? > > The question is probably more about understanding of the process rather > than technical details. If I understand correctly, Step-Up is meant to > amend/extend RFC 6750. Can we say that the features defined in Step-Up > automatically become available for the specs that build on top of 6750, > e.g. DPoP? In other words, would the following response be considered valid: > > HTTP/1.1 401 Unauthorized > WWW-Authenticate: DPoP algs="ES256 PS256", > error="insufficient_user_authentication", > error_description="A different authentication level is required", > acr_values="myACR" > > > - DPoP conformance > Is there any "official" conformance suite that could be used to test an > AS/RS for DPoP conformance? would that be the OIDC Conformance Suite (its > FAPI2 part)? > > Thanks, > Dmitry > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
