Overview#OAuth 2.0 Proof-of-Possession (PoP) Security Architecture is defined is an Internet Draft (https://tools.ietf.org/html/draft-hunt-oauth-pop-architecture-04])
The OAuth 2.0 Bearer Token specification, as defined in RFC 6750, allows any party in possession of a Bearer Token (a "bearer") to get access to the associated Protected Resource. To prevent misuse, Bearer Token must to be protected from disclosure in transit and at rest.
OAuth 2.0 Proof-of-Possession (PoP) Security Architecture security concept extends Bearer Token security and requires the client to demonstrate possession of a key when accessing a Protected Resource.
Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism.
OAuth 2.0 Proof-of-Possession (PoP) Security Architecture outlines
- use cases requiring stronger security protection:
- Describes Security and Privacy Threats
- proposes different ways to mitigate those threats
- lists requirements of the Architecture.
- Discusses Threat Mitigation
- Outlines an architecture for a solution that builds on top of the existing OAuth 2.0 framework
Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) (RFC 7800) describes how a JSON Web Token (JWT) can declare that the presenter of the JWT possesses a particular proof-of-Possession (PoP) key and that the recipient can cryptographically confirm proof-of-Possession of the key by the presenter.