DPoP (Demonstrating Proof of Possession)

• “bearer” token grants access to the “bearer” of the token
• sender-constrained tokens to solve the problem of leaked “bearer” tokens
• client using a “bearer” token provides “a proof” every time it uses the token
  • “proof” ensures client has a secret private key
  • “proof” is usually a JWT signed by the secret private key
  • binds “proof” to a specific HTTP request
• application layer
• no PKI required

Links

• Protect Your Access Tokens with DPoP (Demonstrating Proof of Possession) | Auth0
• RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)
• dpop.info