OAuth 2.0 Proof-of-Possession (PoP) Security Architecture


OAuth 2.0 Proof-of-Possession (PoP) Security Architecture is defined is an Internet Draft (https://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-02])

The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a Bearer Token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, Bearer Token must to be protected from disclosure in transit and at rest.

Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism.

OAuth 2.0 Proof-of-Possession (PoP) Security Architecture outlines

  • use cases requiring stronger security protection:
  • Describes Security and Privacy Threats
  • proposes different ways to mitigate those threats
  • lists requirements of the Architecture.
  • Discusses Threat Mitigation
  • Outlines an architecture for a solution that builds on top of the existing OAuth 2.0 framework

OAuth 2.0 Proof-of-Possession (PoP) Security Architecture is a Proof-of-Possession Architecture for OAuth 2.0.

Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) (RFC 7800) describes how a JSON Web Token (JWT) can declare that the presenter of the JWT possesses a particular proof-of-Possession (PoP) key and that the recipient can cryptographically confirm proof-of-Possession of the key by the presenter.

More Information#

There might be more information for this subject on one of the following: