Overview#OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP), an Internet Draft, defines a relatively simple application-level mechanism for sender-constraining OAuth access and refreshtokens.
It enables a client to demonstrate proof-of-possession of a public/Private Key pair by including the "DPoP" header in an HTTP Request. Using that header, an Authorization Server is able to bind issued tokens to the public part of the client's key pair. Recipients of such tokens are then able to verify the binding of the token to the key pair that the client has demonstrated that it holds via the "DPoP" header, thereby providing some assurance that the client presenting the token also possesses the Private Key. In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair.
More Information#There might be more information for this subject on one of the following:
- [#1] - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (Expired)- based on information obtained 2019-05-02
- [#2] - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - based on information obtained 2020-05-02