support dPoP protocol #54

damooo · 2021-12-06T15:02:59Z

Hello, thanks for your work

It would be great, if library can support dPoP protocol. (OAuth 2.0 Demonstrating Proof-of-Possession )

dPoP is now fairly de-facto standard to bind access token to petticoat client and ensure, stolen access tokens doesn't cause any damage.

And solid protocol, which enables decentralised identity and collaboration over personal resources, it mandates to use dPoP for example.

ramosbugs · 2021-12-06T20:01:31Z

this seems like a reasonable enhancement to this crate, although the standard looks like it's still in a draft state: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04. are there any major OpenID Connect providers using this yet?

damooo · 2021-12-07T11:28:13Z

Yes, though in draft stage, it is fairly used in production. Auth0 supports it. And SOLID-OIDCmandates it, as it supports decentralised identity.

damooo · 2021-12-21T11:46:41Z

@ramosbugs , _/_ you can see dPoP being listed in OAuth Working Group Specifications too.

Gearme · 2023-04-11T15:41:03Z

I put together an MVP draft for a bare minimum of DPoP functionality, feedback welcome.

Gearme mentioned this issue Apr 11, 2023

MVP for client-side DPoP Header support #109

Draft

ramosbugs mentioned this issue Apr 7, 2024

DPoP support ramosbugs/oauth2-rs#265

Open

Provide feedback