https://atosh502.github.io/tags/oauth/Recent content in Oauth on Aashutosh PoudelHugoen-USCopyright © \b20\d{2}\b, Aashutosh Poudel.Mon, 23 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/dpop-demonstrating-proof-of-possession/Mon, 23 Mar 2026 00:00:00 +0000https://atosh502.github.io/blog/til/2026/march/dpop-demonstrating-proof-of-possession/<ul> <li>&ldquo;bearer&rdquo; token grants access to the &ldquo;bearer&rdquo; of the token</li> <li>sender-constrained tokens to solve the problem of leaked &ldquo;bearer&rdquo; tokens</li> <li>client using a &ldquo;bearer&rdquo; token provides &ldquo;a proof&rdquo; every time it uses the token <ul> <li>&ldquo;proof&rdquo; ensures client has a secret private key</li> <li>&ldquo;proof&rdquo; is usually a JWT signed by the secret private key</li> <li>binds &ldquo;proof&rdquo; to a specific HTTP request</li> </ul> </li> <li>application layer</li> <li>no PKI required</li> </ul> <p>Links</p> <ul> <li><a href="https://auth0.com/blog/protect-your-access-tokens-with-dpop/">Protect Your Access Tokens with DPoP (Demonstrating Proof of Possession) | Auth0</a></li> <li><a href="https://www.rfc-editor.org/rfc/rfc9449.html">RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)</a></li> <li><a href="https://dpop.info/">dpop.info</a></li> </ul>