Hi -- another DPoP question :) In the very last paragraph, in the very last sentence of section "5. DPoP Access Token Request", draft-ietf-oauth-dpop-13 says:
"This existing sender-constraining mechanism is more flexible (e.g., it allows credential rotation for the client without invalidating refresh tokens) than binding directly to a particular public key." Can someone clarify if the term "credential rotation" refers to the client authentication credential, or the PPoP credential? I'm pretty sure it means the PPoP credential, since that would allow for a new DPoP proof to be used for new access tokens generated from the same refresh token. Is this correct? Thanks, as always! -Brock
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
