It can be a bit of a balancing act to have examples that clearly and
concisely demonstrate the target functionality of the document but do so in
the context of an otherwise complete and valid protocol message that also
shows best practices being adhered to. But I think in this case I agree
that add
I've updated the dpop in go implementation to -02:
https://github.com/pquerna/dpop
Compared to implementing -01, because the same proof is used against
the token requests and resource server access, it did generally
simplify the implementation risk and complexity.
Getting the private key fingerpr
Hi all!
I am reading through the latest draft ( ... dpop-02). When I got to
the first example request (bullet 5.) I saw that only 'grant_type,
code, redirect_uri' are used.
If I am not mistaken the recommendation is to generally use PKCE with
an authorization_code flow. Therefore, I wondered if t
Hello Daniel, everyone,
I don't know if this belongs to the DPoP document itself or each respective
BCP (especially Browser-Based Apps), but one of the documents should give
recommendation to implementers on how to
1. generate the unique private keys per installation / browser session
2. pl
I've updated my OP projects draft implementation to 02 as well as the
example browser based client using DPoP for those interested
RP: https://murmuring-journey-60982.herokuapp.com
OP: https://op.panva.cz/.well-known/openid-configuration
As I've mentioned in the github issue tracker i think a ser
All,
In preparation for the meeting in Montreal, I just uploaded a new version
of the DPoP draft:
https://tools.ietf.org/html/draft-fett-oauth-dpop-02
Please have a look and let me know what you think. We should make this a
working group item soon.
As you might have noticed, there is also a new
