Thanks Brian, it's clear now. Shame on me for having overlooked that DPoP bit in Sec 3.
Dmitry On Tue, Nov 15, 2022 at 10:20 PM Brian Campbell <bcampbell= 40pingidentity....@dmarc.ietf.org> wrote: > Hello Dmitry, > > TLDR: yes DPoP and Step-Up can be used together. > > The first sentence in the section of step-up that describes the new bits > for the WWW-Authenticate even explicitly mentions DPoP: > https://www.ietf.org/archive/id/draft-ietf-oauth-step-up-authn-challenge-06.html#section-3 > and other schemes that are like RFC 6750. The process of extending/building > on RFC 6750 seemed pretty open ended when I looked at the details. There's > a registry for the HTTP auth scheme and one for OAuth error codes. I did my > best to define DPoP and step-up stuff, given what was already in place, in > a reasonable way. And that should match more or less what you're looking > for. > > I don't know specifics around conformance but I think that DPoP is being > worked on or planned with the FAPI 2.0 tests. > > > > > On Mon, Nov 14, 2022 at 5:42 PM Dmitry Telegin <dmitryt= > 40backbase....@dmarc.ietf.org> wrote: > >> - DPoP and Step-Up (hello Brian :) >> >> TL;DR: can we use DPoP and Step-Up together? >> >> The question is probably more about understanding of the process rather >> than technical details. If I understand correctly, Step-Up is meant to >> amend/extend RFC 6750. Can we say that the features defined in Step-Up >> automatically become available for the specs that build on top of 6750, >> e.g. DPoP? In other words, would the following response be considered valid: >> >> HTTP/1.1 401 Unauthorized >> WWW-Authenticate: DPoP algs="ES256 PS256", >> error="insufficient_user_authentication", >> error_description="A different authentication level is required", >> acr_values="myACR" >> >> >> - DPoP conformance >> Is there any "official" conformance suite that could be used to test an >> AS/RS for DPoP conformance? would that be the OIDC Conformance Suite (its >> FAPI2 part)? >> >> Thanks, >> Dmitry >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
