[OAUTH-WG] DPoP: Why do token requests using refresh tokens not require the use of an "ath" claim?

Section 7 of the DPoP specification [1] says that a "DPoP proof MUST include the ath claim with a valid hash of the associated access token". One reason for that requirement is given in the second paragraph of that section: > Binding the token value to the proof in this way prevents a proof to be

[OAUTH-WG] BCP: Mix-Up Attacks, Implicit Grant Variant

*Hello, everyone!Section 4.4.1 of the BCP draft lists several variants of mix-up attacks; the description of the Implicit grant variant reads as follows: "In the implicit grant, the attacker receives an access