[Openid-specs-ab] OpenID Connect Key Binding :: Proposed WG Item
Dick Hardt
dick.hardt at gmail.com
Fri Aug 15 13:54:25 UTC 2025
Based on feedback from Filipe in the call, I'm proposing that the RP
includes the `code` value as an additional claim in the DPoP JWT, and that
the OP verifies it matches the `code` value in the token request. (changing
from overriding the `nonce` claim)
I'll make this change to the proposed doc early next week unless
someone has a different proposal. We can then review this on the call
Thursday next week.
On Mon, Aug 11, 2025 at 5:26 PM Dick Hardt <dick.hardt at gmail.com> wrote:
> Hey
>
> Ethan and I are offering the attached document as a contribution to the
> Connect WG.
>
> Mike / Nat: is there room on the agenda this coming Thursday to discuss?
>
> For those of you that don't know him, Ethan worked on OpenPubkey
> <https://www.bastionzero.com/openpubkey> and now works at Cloudflare.
>
> There is very little new normative language in this spec. We are building
> on the great work done by:
>
> Daniel Fett
> Brian Campbell
> John Bradley
> Torsten Lodderstedt
> Michael Jones
> David Waite
>
>
> in
>
> RFC9449 - OAuth 2.0 Demonstrating Proof of Possession
> <https://datatracker.ietf.org/doc/html/rfc9449>
>
> and profiling it for OpenID Connect.
>
> Here is the repo where you can file issues / comments / PRs
>
> https://github.com/dickhardt/openid-key-binding
>
> /Dick and Ethan
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250815/1fa0e4d8/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list