[Openid-specs-fapi] Issue #503: DPoP, PAR and Authorization Code binding (openid/fapi)
dgtonge
issues-reply at bitbucket.org
Fri Jun 24 12:53:42 UTC 2022
New issue 503: DPoP, PAR and Authorization Code binding
https://bitbucket.org/openid/fapi/issues/503/dpop-par-and-authorization-code-binding
Dave Tonge:
I have a few questions about DPoP and PAR In FAPI 2
The DPoP spec says this:
> Both mechanisms _\(proof in header or dpop\_jkt in body\)_ MUST be supported by an authorization server that supports PAR and DPoP. If both mechanisms are used at the same time, the authorization server MUST reject the request if the JWK Thumbprint in dpop\_jkt does not match the public key in the DPoP header.
Do we need to call this out in the FAPI 2.0 spec as I feel it could be missed as we only refer to DPoP as a mechanism for sender-constraining tokens. Whereas it looks like an AS has a requirement to implement DPoP at the PAR endpoint also in order to bind authorization codes.
My reading of the DPoP spec is that this is optional for Clients. Are we happy with this, or should we make it mandatory for Clients?
The DPoP spec says
> Use of the dpop\_jkt authorization request parameter is OPTIONAL. Note that the dpop\_jkt authorization request parameter MAY also be used in combination with PKCE \[RFC7636\], which is recommended by \[I-D.ietf-oauth-security-topics\] **as a countermeasure to authorization code injection**.
More information about the Openid-specs-fapi
mailing list