In section 5, the example access token requests are missing either the client_id parameter in the POST body or the client authentication in the HTTP header.
https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-11.html#section-5 Given that DPoP is primarily targeted at public clients, I would recommend adding the client_id parameter to the POST body in the example. This goes for both the authorization_code grant as well as the refresh_token grant. I believe this is a purely editorial change since DPoP doesn't change any requirements about client authentication or the client_id parameter. --- Aaron Parecki
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
