Overview#OAuth 2.0 Proof-of-Possession (PoP) Security Architecture is defined is an Internet Draft (https://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-02])
The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a Bearer Token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, Bearer Token must to be protected from disclosure in transit and at rest.
Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism.
OAuth 2.0 Proof-of-Possession (PoP) Security Architecture outlines
- use cases requiring stronger security protection:
- Describes Security and Privacy Threats
- proposes different ways to mitigate those threats
- lists requirements of the Architecture.
- Discusses Threat Mitigation
- Outlines an architecture for a solution that builds on top of the existing OAuth 2.0 framework
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) (RFC 7800) describes how a JSON Web Token (JWT) can declare that the presenter of the JWT possesses a particular proof-of-Possession (PoP) key and that the recipient can cryptographically confirm proof-of-Possession of the key by the presenter.