oauth2.dev

ath

IETF

Registry Context

The `ath` claim binds a DPoP proof to a specific access token by carrying a base64url-encoded SHA-256 hash of the token value.

Technical Summary

In a DPoP proof used for protected resource access, `ath` contains the base64url encoding of the SHA-256 hash of the ASCII encoding of the associated access token's value.

When Used

When a DPoP proof accompanies an access token in a request to a DPoP-protected resource.

Normative Requirements

Clients

MUST
3

  1. RFC 9449 - Section 4.2

    Include the `ath` claim in the DPoP proof..

    Condition: When the proof is used with the presentation of an access token in protected resource access.

    the DPoP proof MUST also contain the following claim: ath

  2. RFC 9449 - Section 4.2

    Set `ath` to the base64url encoding of the SHA-256 hash of the ASCII encoding of the associated access token's value..

    Condition: When generating the `ath` claim.

    The value MUST be the result of a base64url encoding ... the SHA-256 hash of the ASCII encoding of the associated access token's value.

  3. RFC 9449 - Section 7

    Include an `ath` claim containing a valid hash of the associated access token in the DPoP proof..

    Condition: For a request to a DPoP-protected resource.

    The DPoP proof MUST include the ath claim with a valid hash of the associated access token.

Servers

MUST
1

  1. RFC 9449 - Section 4.3

    Ensure that `ath` equals the hash of the presented access token..

    Condition: When validating a DPoP proof presented to a protected resource with an access token.

    the receiving server MUST ensure ... the value of the ath claim equals the hash of that access token

Validation Guidance

error

Reject a DPoP proof accompanying an access token in protected resource access if `ath` is absent.

error

Calculate `ath` as base64url(SHA-256(ASCII(access token value))) and compare it with the claim value.

error

Reject the proof if its `ath` value does not equal the hash of the presented access token.

Security Notes

RFC 9449 - Section 7

Binding the token value to the proof prevents the proof from being used with different access token values across requests.

RFC 9449 - Section 7

The `ath` claim alone does not prevent proof replay or bind the proof to its request; validators must still check the proof's time window and request parameters such as `htm` and `htu`.

Reference

RFC9449 - Section 4.2

Details

Entry Id
ath
Claim Name
ath
Claim Description
The base64url-encoded SHA-256 hash of the ASCII encoding of the associated access token's value
Change Controller
IETF
Reference
RFC9449 - Section 4.2