https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html#name-dpop-access-token-request
is pretty clear (I think?) that DPoP is applicable with all token endpoint
requests of any grant type.
I don't know what would be said about Token Revocation.
I'm not seeing the UserInfo endpoint as being
The draft currently focuses on DPoP support in Authorization endpoint and
Token endpoint (authorization code grant + refresh token grant). The
concept, however, could be extrapolated to several other endpoints, grant
types and OAuth2 extensions:
- ROPC (RFC 6749 section 1.3.3);
- OAuth 2.0 Token Ex
