DPoP – Current Draft, Next Steps

From IIW

DPoaP: Current Draft, Next Steps


Thursday 11H

Convener: Daniel Fett

Notes-taker(s): Mike Engan


Tags for the session - technology discussed/ideas considered:


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


1. Notes received from Mike Engan:


Dpop status.

The groups walked throught the current DPOP spec and git issue tracker repository

https://github.com/danielfett/draft-dpop

Latest draft is in the github location, not the IETF rfc.

Daniel walked the group through the token request and the new parameters in that request.

And then walked through he resource request call with dpop signatures

Discussion between body or header attributes

Discussion between including or not the “bearer” on the access_token in the authorization header.

Discussion around HTTP request signing methods attempted over the years.

Including cabage signature draft

Discussion around the use of http_uri and it’s other option making it a more generic aud. (or other name).

Discussion on if clients should be more explicitly forced to sign every request.

Discussion if the spec should allow an implementation that a DPOP is re-used.

Suggestion to change exp to iat.

Discussion on enabling key rotation.

Mentioned two different sessions with similar paths. (t-mobiles pop token, and sasha’s client tokens session on day one).