oauth2.dev

DPoP

IETF

Registry Context

DPoP is an OAuth access token type for sender-constrained access tokens bound to a client's proof-of-possession public key.

Technical Summary

RFC 9449 registers the OAuth Access Token Type name DPoP, with HTTP authentication scheme DPoP and no additional token endpoint response parameters. A token_type value of DPoP signals that the access token is bound to the client's DPoP key and is presented using the DPoP authentication scheme together with a valid DPoP proof.

When Used

Use DPoP when clients, authorization servers, and resource servers require proof-of-possession sender-constrained OAuth access tokens rather than bearer-only presentation.

Normative Requirements

Clients

MUST
3
  1. RFC 9449 - Section 5

    provide a valid DPoP proof JWT in a DPoP header.

    Condition: when requesting an access token bound to a public key using DPoP, regardless of grant type

    the client MUST provide a valid DPoP proof JWT in a DPoP header

  2. RFC 9449 - Section 5

    discard the access token response.

    Condition: when token_type is not DPoP and DPoP protection is deemed important for the application's security

    The client MUST discard the response in this case

  3. RFC 9449 - Section 7

    include both a DPoP proof and the access token.

    Condition: when making a request to a DPoP-protected resource

    Requests to DPoP-protected resources MUST include both a DPoP proof and the access token

RECOMMENDED
1
  1. RFC 9449 - Section 7.3

    generate a unique DPoP proof.

    Condition: when retrying an idempotent request after an HTTP error generally understood as transient

    It is RECOMMENDED that clients generate a unique DPoP proof

Authorization servers

MUST
4
  1. RFC 9449 - Section 5

    include token_type with the value DPoP in the access token response.

    Condition: when the access token was bound to the client's DPoP key

    A token_type of DPoP MUST be included in the access token response

  2. RFC 9449 - Section 5

    bind the refresh token to the respective public key.

    Condition: when supporting DPoP and issuing a refresh token to a public client that presented a valid DPoP proof at the token endpoint

    the refresh token MUST be bound to the respective public key

  3. RFC 9449 - Section 5

    validate the refresh token's public-key binding.

    Condition: when the refresh token is later presented to obtain new access tokens

    The binding MUST be validated when the refresh token is later presented

  4. RFC 9449 - Section 5.2

    reject token requests from the client that do not contain a DPoP header.

    Condition: when the client's dpop_bound_access_tokens client registration metadata value is true

    the authorization server MUST reject token requests from the client that do not contain the DPoP header

MAY
1
  1. RFC 9449 - Section 5

    issue an access token that is not DPoP-bound.

    An authorization server MAY elect to issue access tokens that are not DPoP bound

Resource servers

MUST NOT
1
  1. RFC 9449 - Section 7.1

    grant access to the resource.

    Condition: unless all DPoP access-token and proof checks are successful

    The resource server MUST NOT grant access to the resource unless all checks are successful.

MUST
3
  1. RFC 9449 - Section 6

    reliably identify whether an access token is DPoP-bound and ascertain sufficient information to verify its binding to the DPoP proof public key.

    Resource servers MUST be able to reliably identify whether an access token is DPoP-bound

  2. RFC 9449 - Section 6

    ensure that the public key from the DPoP proof matches the public key bound to the access token.

    Condition: when validating a DPoP-bound access token

    Resource servers supporting DPoP MUST ensure that the public key from the DPoP proof matches

  3. RFC 9449 - Section 7.1

    check that a DPoP proof was received, validate it under Section 4.3, and verify that its public key matches the access-token binding.

    Condition: when processing a DPoP-bound access token

    a resource server MUST check that a DPoP proof was also received

Servers

MUST
2
  1. RFC 9449 - Section 11.1

    accept DPoP proofs only for a limited time after their creation.

    Condition: to limit DPoP proof replay

    servers MUST only accept DPoP proofs for a limited time after their creation

  2. RFC 9449 - Section 4.3

    ensure that the DPoP proof satisfies the header cardinality, JWT syntax, required-claim, typ, alg, signature, public-key, method, URI, nonce, creation-time, and applicable access-token-binding checks listed in Section 4.3.

    Condition: when validating a DPoP proof

    To validate a DPoP proof, the receiving server MUST ensure the following

SHOULD
4
  1. RFC 9449 - Section 4.3

    apply syntax-based and scheme-based URI normalization before comparing the htu claim.

    Condition: to reduce false negatives during DPoP proof validation

    servers SHOULD employ syntax-based normalization and scheme-based normalization

  2. RFC 9449 - Section 7.1

    include an error authentication parameter indicating why the request was declined.

    Condition: when the request included an access token but failed authentication

    An error parameter SHOULD be included to indicate the reason why the request was declined

  3. RFC 9449 - Section 7.1

    include an algs authentication parameter listing acceptable JWS algorithms for DPoP proof JWTs.

    Condition: in a DPoP authentication challenge

    An algs parameter SHOULD be included

  4. RFC 9449 - Section 7.2

    use the challenge corresponding to the attempted authentication mechanism to deliver error information.

    Condition: when that mechanism can be established unambiguously

    the corresponding challenge SHOULD be used to deliver error information

MAY
8
  1. RFC 9449 - Section 11.1

    accept a DPoP proof whose iat value is in the reasonably near future.

    Condition: to accommodate clock offsets

    the server MAY accept DPoP proofs that carry an iat time in the reasonably near future

  2. RFC 9449 - Section 11.1

    limit DPoP proof lifetimes using server-provided nonce values containing server time.

    Condition: instead of comparing client-supplied iat with server time

    servers MAY limit DPoP proof lifetimes by using server-provided nonce values

  3. RFC 9449 - Section 7.1

    include a WWW-Authenticate header in responses to conditions other than missing, invalid, or insufficient credentials.

    Condition: when issuing a DPoP authentication challenge

    The server MAY include the WWW-Authenticate header in response to other conditions as well.

  4. RFC 9449 - Section 7.1

    include a realm authentication parameter.

    Condition: in a DPoP authentication challenge

    The authentication parameter realm MAY be included

  5. RFC 9449 - Section 7.1

    include a scope authentication parameter.

    Condition: in a DPoP authentication challenge

    A scope authentication parameter MAY be included

  6. RFC 9449 - Section 7.1

    include an error_description authentication parameter with a human-readable developer explanation.

    Condition: when an error parameter is included in a DPoP authentication challenge

    An error_description parameter MAY be included along with the error parameter

  7. RFC 9449 - Section 7.1

    use additional authentication parameters.

    Condition: in a DPoP authentication challenge

    Additional authentication parameters MAY be used

  8. RFC 9449 - Section 7.2

    use both Bearer and DPoP challenges to deliver error information.

    Condition: when the attempted authentication mechanism cannot be established unambiguously

    both Bearer and DPoP challenges MAY be used to deliver error information

Challenges

SHOULD NOT
1
  1. RFC 9449 - Section 7.2

    include an error code or other error information.

    Condition: when no authentication information was included with the request

    the challenges SHOULD NOT include an error code or other error information

DPoP authentication scheme

MUST NOT
1
  1. RFC 9449 - Section 7.1

    be used with Proxy-Authenticate or Proxy-Authorization header fields.

    Condition: because the scheme is only for origin-server authentication

    this authentication scheme MUST NOT be used with the Proxy-Authenticate or Proxy-Authorization header fields

DPoP HTTP header field

MUST
1
  1. RFC 9449 - Section 5

    contain a valid DPoP proof JWT.

    Condition: in a DPoP access token request

    The DPoP HTTP header field MUST contain a valid DPoP proof JWT.

DPoP proofs

MUST
3
  1. RFC 9449 - Section 4.2

    contain an ath claim.

    Condition: when used with an access token for protected resource access

    the DPoP proof MUST also contain the following claim

  2. RFC 9449 - Section 4.2

    contain a nonce claim carrying a recent nonce from the DPoP-Nonce response header.

    Condition: when the authorization server or resource server provided a DPoP-Nonce header

    the DPoP proof MUST also contain the following claim

  3. RFC 9449 - Section 7

    include the ath claim containing a valid hash of the associated access token.

    Condition: when used to access a DPoP-protected resource

    The DPoP proof MUST include the ath claim with a valid hash

MAY
1
  1. RFC 9449 - Section 4.2

    contain additional JOSE header parameters or claims.

    Condition: as defined by an extension, profile, or deployment-specific requirement

    A DPoP proof MAY contain other JOSE Header Parameters or claims

ath claim value

MUST
1
  1. RFC 9449 - Section 4.2

    be the base64url-encoded SHA-256 hash of the ASCII encoding of the associated access-token value.

    Condition: when included in a DPoP proof

    The value MUST be the result of a base64url encoding the SHA-256 hash

DPoP proof alg parameter

MUST NOT
1
  1. RFC 9449 - Section 4.2

    identify none or a symmetric signature algorithm.

    It MUST NOT be none or an identifier for a symmetric algorithm

DPoP proof JOSE header

MUST
1
  1. RFC 9449 - Section 4.2

    contain at least typ, alg, and jwk parameters, with typ equal to dpop+jwt.

    The JOSE Header of a DPoP JWT MUST contain at least the following parameters

DPoP proof jti value

MUST
1
  1. RFC 9449 - Section 4.2

    be assigned with negligible probability of duplication in the same context during its validity window.

    The value MUST be assigned such that there is a negligible probability

DPoP proof jwk parameter

MUST NOT
1
  1. RFC 9449 - Section 4.2

    contain a private key.

    It MUST NOT contain a private key.

DPoP proof payload

MUST
1
  1. RFC 9449 - Section 4.2

    contain at least the jti, htm, htu, and iat claims.

    The payload of a DPoP proof MUST contain at least the following claims

protected resource supporting both DPoP and Bearer

MUST
1
  1. RFC 9449 - Section 7.2

    reject a DPoP-bound access token received using the Bearer authentication scheme.

    such a protected resource MUST reject a DPoP-bound access token received as a bearer token

RECOMMENDED
1
  1. RFC 9449 - Section 7.2

    follow the specified rules for selecting which authentication challenge carries error information.

    Condition: when responding with multiple WWW-Authenticate challenges

    It is RECOMMENDED that the following rules be adhered to

public client

MUST
1
  1. RFC 9449 - Section 5

    present a DPoP proof for the same key used to obtain the refresh token.

    Condition: each time the DPoP-bound refresh token is used to obtain a new access token

    such a client MUST present a DPoP proof for the same key

recipient

MUST
1
  1. RFC 9449 - Section 7.1

    ignore unknown authentication parameters.

    Condition: when processing a DPoP authentication challenge

    unknown parameters MUST be ignored by recipients

Validation Guidance

error

For an access token bound to the client's DPoP key, require token_type to be exactly DPoP in the token response.

error

Reject a DPoP token request when the DPoP header is absent or does not contain a valid DPoP proof JWT.

error

When dpop_bound_access_tokens client registration metadata is true, reject token requests from that client that omit the DPoP header.

error

For a public-client DPoP refresh-token flow, verify the refresh-token key binding and require a proof using the originally bound key.

error

When DPoP protection is required by the client, discard a response whose token_type is not DPoP.

error

For protected resource access, require the access token using the DPoP authentication scheme, a DPoP proof, and an ath value matching that access token.

error

Deny resource access unless proof validation and access-token public-key binding checks all succeed.

error

Validate DPoP proof syntax, required JOSE parameters and claims, algorithm restrictions, signature, request method and URI, nonce when supplied, and acceptable creation time.

error

Reject requests containing more than one DPoP header or a DPoP header value that is not one well-formed JWT.

error

Do not accept a DPoP jwk containing private key material.

error

Do not use or accept the DPoP authentication scheme through Proxy-Authenticate or Proxy-Authorization.

warning

When a request included an access token but failed DPoP authentication, include an error parameter in the challenge and advertise acceptable proof algorithms using algs.

error

Ignore unknown authentication parameters in DPoP challenges.

warning

Apply syntax-based and scheme-based URI normalization before comparing htu values.

error

Accept DPoP proofs only within a limited validity window after creation.

error

A protected resource supporting both DPoP and Bearer must reject a DPoP-bound token presented using the Bearer scheme.

warning

Generate a new DPoP proof when retrying an idempotent protected-resource request after a transient HTTP error.

info

Treat dpop_signing_alg_values_supported as authorization server metadata and dpop_bound_access_tokens as client registration metadata.

info

The OAuth Access Token Types registration for DPoP has HTTP authentication scheme DPoP and no additional token endpoint response parameters.

Security Notes

RFC 9449 - Section 11.1

A captured DPoP proof can be replayed at the same endpoint. Servers must limit the time for which proofs are accepted; tracking jti values and rejecting duplicates can provide stronger replay protection where shared state is feasible.

RFC 9449 - Section 7

The ath claim binds a proof to one access-token value, preventing substitution between different or rotated access tokens, but it does not by itself prevent proof replay or bind the proof to the request method and URI.

Reference

Details

Entry Id
DPoP
Name
DPoP
Http Authentication Scheme
DPoP
Change Controller
IETF
Reference
RFC9449