Re: [OAUTH-WG] DPoP and implicit/hybrid flows

Yes FAL3 would be about binding the idToken not the access token so different from what Mike proposed for implicit. On Fri, Jul 16, 2021, 2:18 PM Justin Richer wrote: > Binding the access token is not required for FAL3. FAL has nothing to say > about access tokens: > > https://pages.nist.gov/8

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

Binding the access token is not required for FAL3. FAL has nothing to say about access tokens: https://pages.nist.gov/800-63-FAQ/#q-c8 FAL3 is about presenting proof of a key representing the user alongside an assertion representing the user. In OIDC t

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

Binding tokens issued directly from the authorization endpoint has been intentionally considered out of scope for the main DPoP draft. This draft https://datatracker.ietf.org/doc/html/draft-jones-oauth-dpop-implicit-00 was written that explores what it might look like. But it hasn't seen a lot of

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

Binding the token would be required for OAuth or Connect to meet the SP800-63 FAL3 requirements. Something like DPoP might work. I don't think DPoP itself should directly add support. I don't know if people really care about FAL3, unfourtunatly the simple solution of using token-binding seems q

[OAUTH-WG] Call for adoption - OAuth Proof of Possession Tokens with HTTP Message Signatures

All, This is a call for adoption for the *OAuth Proof of Possession Tokens with HTTP Message Signatures* draft as a WG document: https://datatracker.ietf.org/doc/draft-richer-oauth-httpsig/ Please, provide your feedback on the mailing list *by July 30th*. Regards, Rifaat & Hannes __

Re: [OAUTH-WG] DPoP and implicit/hybrid flows

I personally hope we don’t. JAR already gives us signed requests at the authorization endpoint, though the last piece would be binding the token. — Justin > On Jul 15, 2021, at 6:47 PM, Dmitry Telegin > wrote: > > Hi, > > The DPoP spec currently defines how to obtain a DPoP-bound token via