Hi,
The token is granted to a client based on the authorization grant and not the
client's key. Therefore, a client may use a different key per token. At least
this is an approach we are following.
Best,
Nikos
-Original Message-
From: OAuth On Behalf Of Justin Richer
Sent: Friday, Nov
While working on an implementation of DPoP recently, I realized that the value
of the access token itself is not covered by the DPoP signature at all. What
I’m wondering is whether or not this constitutes an attack surface that we care
about here. Here’s how it works:
Let’s say that a client c
