Securing the Tokens with Demonstration of Proof-of-Possession at the Application Layer (DPoP)

The following Medium post will help to understand the details of “OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)”, the post mainly focuses on access token, but in the RFC it’s mentioned that the DPoP can be used with access and refresh tokens.

Medium post: https://medium.com/@darutk/illustrated-dpop-oauth-access-token-security-enhancement-801680d761ff

"This article explains a specification called “ DPoP ”, OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer.

The specification defines a mechanism to prevent illegal API calls from succeeding only with a stolen access token .

In the traditional mechanism, API access is allowed only if the access token presented by the client application is valid. However, if a mechanism of PoP ( Proof of Possession ) such as DPoP is employed, the API implementation additionally checks whether the client application presenting the access token is the valid owner of the access token (= whether the client application is the same one that the access token has been issued to). If the client is not the valid owner of the access token, the API access is rejected. …"

I recommend reading the following link after the Medium post. The post helped me to understand better.

https://tools.ietf.org/id/draft-fett-oauth-dpop-04.html

1 Like

Is there any indication of when/if Keycloak will support DPoP?

Also interested to know if/when it could fit into KeyCloak.

Despite it still being a draft RFC (so probably up to some changes), it might get more support only for the fact of being experimental in KeyCloak.

To me, DPoP really addresses a lot of concerns for the client credentials flow.

Thought I’d bump this thread up to see if anyone has been working on DPoP support since the OP?

Yes, please check this link - DPoP design draft by dteleguin · Pull Request #254 · keycloak/keycloak-community · GitHub

WSO2 Identity Server is now supporting DPOP