DPoP – Current Draft, Next Steps
DPoaP: Current Draft, Next Steps
Thursday 11H
Convener: Daniel Fett
Notes-taker(s): Mike Engan
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
1. Notes received from Mike Engan:
Dpop status.
The groups walked throught the current DPOP spec and git issue tracker repository
https://github.com/danielfett/draft-dpop
Latest draft is in the github location, not the IETF rfc.
Daniel walked the group through the token request and the new parameters in that request.
And then walked through he resource request call with dpop signatures
Discussion between body or header attributes
Discussion between including or not the “bearer” on the access_token in the authorization header.
Discussion around HTTP request signing methods attempted over the years.
Including cabage signature draft
Discussion around the use of http_uri and it’s other option making it a more generic aud. (or other name).
Discussion on if clients should be more explicitly forced to sign every request.
Discussion if the spec should allow an implementation that a DPOP is re-used.
Suggestion to change exp to iat.
Discussion on enabling key rotation.
Mentioned two different sessions with similar paths. (t-mobiles pop token, and sasha’s client tokens session on day one).