DPoP
Registry Context
DPoP is an OAuth access token type for sender-constrained access tokens bound to a client's proof-of-possession public key.
Technical Summary
RFC 9449 registers the OAuth Access Token Type name DPoP, with HTTP authentication scheme DPoP and no additional token endpoint response parameters. A token_type value of DPoP signals that the access token is bound to the client's DPoP key and is presented using the DPoP authentication scheme together with a valid DPoP proof.
When Used
Use DPoP when clients, authorization servers, and resource servers require proof-of-possession sender-constrained OAuth access tokens rather than bearer-only presentation.
Normative Requirements
Clients
RFC 9449 - Section 5
provide a valid DPoP proof JWT in a DPoP header.
Condition: when requesting an access token bound to a public key using DPoP, regardless of grant type
the client MUST provide a valid DPoP proof JWT in a DPoP header
RFC 9449 - Section 5
discard the access token response.
Condition: when token_type is not DPoP and DPoP protection is deemed important for the application's security
The client MUST discard the response in this case
RFC 9449 - Section 7
include both a DPoP proof and the access token.
Condition: when making a request to a DPoP-protected resource
Requests to DPoP-protected resources MUST include both a DPoP proof and the access token
RFC 9449 - Section 7.3
generate a unique DPoP proof.
Condition: when retrying an idempotent request after an HTTP error generally understood as transient
It is RECOMMENDED that clients generate a unique DPoP proof
Authorization servers
RFC 9449 - Section 5
include token_type with the value DPoP in the access token response.
Condition: when the access token was bound to the client's DPoP key
A token_type of DPoP MUST be included in the access token response
RFC 9449 - Section 5
bind the refresh token to the respective public key.
Condition: when supporting DPoP and issuing a refresh token to a public client that presented a valid DPoP proof at the token endpoint
the refresh token MUST be bound to the respective public key
RFC 9449 - Section 5
validate the refresh token's public-key binding.
Condition: when the refresh token is later presented to obtain new access tokens
The binding MUST be validated when the refresh token is later presented
RFC 9449 - Section 5.2
reject token requests from the client that do not contain a DPoP header.
Condition: when the client's dpop_bound_access_tokens client registration metadata value is true
the authorization server MUST reject token requests from the client that do not contain the DPoP header
RFC 9449 - Section 5
issue an access token that is not DPoP-bound.
An authorization server MAY elect to issue access tokens that are not DPoP bound
Resource servers
RFC 9449 - Section 7.1
grant access to the resource.
Condition: unless all DPoP access-token and proof checks are successful
The resource server MUST NOT grant access to the resource unless all checks are successful.
RFC 9449 - Section 6
reliably identify whether an access token is DPoP-bound and ascertain sufficient information to verify its binding to the DPoP proof public key.
Resource servers MUST be able to reliably identify whether an access token is DPoP-bound
RFC 9449 - Section 6
ensure that the public key from the DPoP proof matches the public key bound to the access token.
Condition: when validating a DPoP-bound access token
Resource servers supporting DPoP MUST ensure that the public key from the DPoP proof matches
RFC 9449 - Section 7.1
check that a DPoP proof was received, validate it under Section 4.3, and verify that its public key matches the access-token binding.
Condition: when processing a DPoP-bound access token
a resource server MUST check that a DPoP proof was also received
Servers
RFC 9449 - Section 11.1
accept DPoP proofs only for a limited time after their creation.
Condition: to limit DPoP proof replay
servers MUST only accept DPoP proofs for a limited time after their creation
RFC 9449 - Section 4.3
ensure that the DPoP proof satisfies the header cardinality, JWT syntax, required-claim, typ, alg, signature, public-key, method, URI, nonce, creation-time, and applicable access-token-binding checks listed in Section 4.3.
Condition: when validating a DPoP proof
To validate a DPoP proof, the receiving server MUST ensure the following
RFC 9449 - Section 4.3
apply syntax-based and scheme-based URI normalization before comparing the htu claim.
Condition: to reduce false negatives during DPoP proof validation
servers SHOULD employ syntax-based normalization and scheme-based normalization
RFC 9449 - Section 7.1
include an error authentication parameter indicating why the request was declined.
Condition: when the request included an access token but failed authentication
An error parameter SHOULD be included to indicate the reason why the request was declined
RFC 9449 - Section 7.1
include an algs authentication parameter listing acceptable JWS algorithms for DPoP proof JWTs.
Condition: in a DPoP authentication challenge
An algs parameter SHOULD be included
RFC 9449 - Section 7.2
use the challenge corresponding to the attempted authentication mechanism to deliver error information.
Condition: when that mechanism can be established unambiguously
the corresponding challenge SHOULD be used to deliver error information
RFC 9449 - Section 11.1
accept a DPoP proof whose iat value is in the reasonably near future.
Condition: to accommodate clock offsets
the server MAY accept DPoP proofs that carry an iat time in the reasonably near future
RFC 9449 - Section 11.1
limit DPoP proof lifetimes using server-provided nonce values containing server time.
Condition: instead of comparing client-supplied iat with server time
servers MAY limit DPoP proof lifetimes by using server-provided nonce values
RFC 9449 - Section 7.1
include a WWW-Authenticate header in responses to conditions other than missing, invalid, or insufficient credentials.
Condition: when issuing a DPoP authentication challenge
The server MAY include the WWW-Authenticate header in response to other conditions as well.
RFC 9449 - Section 7.1
include a realm authentication parameter.
Condition: in a DPoP authentication challenge
The authentication parameter realm MAY be included
RFC 9449 - Section 7.1
include a scope authentication parameter.
Condition: in a DPoP authentication challenge
A scope authentication parameter MAY be included
RFC 9449 - Section 7.1
include an error_description authentication parameter with a human-readable developer explanation.
Condition: when an error parameter is included in a DPoP authentication challenge
An error_description parameter MAY be included along with the error parameter
RFC 9449 - Section 7.1
use additional authentication parameters.
Condition: in a DPoP authentication challenge
Additional authentication parameters MAY be used
RFC 9449 - Section 7.2
use both Bearer and DPoP challenges to deliver error information.
Condition: when the attempted authentication mechanism cannot be established unambiguously
both Bearer and DPoP challenges MAY be used to deliver error information
Challenges
RFC 9449 - Section 7.2
include an error code or other error information.
Condition: when no authentication information was included with the request
the challenges SHOULD NOT include an error code or other error information
DPoP authentication scheme
RFC 9449 - Section 7.1
be used with Proxy-Authenticate or Proxy-Authorization header fields.
Condition: because the scheme is only for origin-server authentication
this authentication scheme MUST NOT be used with the Proxy-Authenticate or Proxy-Authorization header fields
DPoP HTTP header field
RFC 9449 - Section 5
contain a valid DPoP proof JWT.
Condition: in a DPoP access token request
The DPoP HTTP header field MUST contain a valid DPoP proof JWT.
DPoP proofs
RFC 9449 - Section 4.2
contain an ath claim.
Condition: when used with an access token for protected resource access
the DPoP proof MUST also contain the following claim
RFC 9449 - Section 4.2
contain a nonce claim carrying a recent nonce from the DPoP-Nonce response header.
Condition: when the authorization server or resource server provided a DPoP-Nonce header
the DPoP proof MUST also contain the following claim
RFC 9449 - Section 7
include the ath claim containing a valid hash of the associated access token.
Condition: when used to access a DPoP-protected resource
The DPoP proof MUST include the ath claim with a valid hash
RFC 9449 - Section 4.2
contain additional JOSE header parameters or claims.
Condition: as defined by an extension, profile, or deployment-specific requirement
A DPoP proof MAY contain other JOSE Header Parameters or claims
ath claim value
RFC 9449 - Section 4.2
be the base64url-encoded SHA-256 hash of the ASCII encoding of the associated access-token value.
Condition: when included in a DPoP proof
The value MUST be the result of a base64url encoding the SHA-256 hash
DPoP proof alg parameter
RFC 9449 - Section 4.2
identify none or a symmetric signature algorithm.
It MUST NOT be none or an identifier for a symmetric algorithm
DPoP proof JOSE header
RFC 9449 - Section 4.2
contain at least typ, alg, and jwk parameters, with typ equal to dpop+jwt.
The JOSE Header of a DPoP JWT MUST contain at least the following parameters
DPoP proof jti value
RFC 9449 - Section 4.2
be assigned with negligible probability of duplication in the same context during its validity window.
The value MUST be assigned such that there is a negligible probability
DPoP proof jwk parameter
RFC 9449 - Section 4.2
contain a private key.
It MUST NOT contain a private key.
DPoP proof payload
RFC 9449 - Section 4.2
contain at least the jti, htm, htu, and iat claims.
The payload of a DPoP proof MUST contain at least the following claims
protected resource supporting both DPoP and Bearer
RFC 9449 - Section 7.2
reject a DPoP-bound access token received using the Bearer authentication scheme.
such a protected resource MUST reject a DPoP-bound access token received as a bearer token
RFC 9449 - Section 7.2
follow the specified rules for selecting which authentication challenge carries error information.
Condition: when responding with multiple WWW-Authenticate challenges
It is RECOMMENDED that the following rules be adhered to
public client
RFC 9449 - Section 5
present a DPoP proof for the same key used to obtain the refresh token.
Condition: each time the DPoP-bound refresh token is used to obtain a new access token
such a client MUST present a DPoP proof for the same key
recipient
RFC 9449 - Section 7.1
ignore unknown authentication parameters.
Condition: when processing a DPoP authentication challenge
unknown parameters MUST be ignored by recipients
Validation Guidance
For an access token bound to the client's DPoP key, require token_type to be exactly DPoP in the token response.
Reject a DPoP token request when the DPoP header is absent or does not contain a valid DPoP proof JWT.
When dpop_bound_access_tokens client registration metadata is true, reject token requests from that client that omit the DPoP header.
For a public-client DPoP refresh-token flow, verify the refresh-token key binding and require a proof using the originally bound key.
When DPoP protection is required by the client, discard a response whose token_type is not DPoP.
For protected resource access, require the access token using the DPoP authentication scheme, a DPoP proof, and an ath value matching that access token.
Deny resource access unless proof validation and access-token public-key binding checks all succeed.
Validate DPoP proof syntax, required JOSE parameters and claims, algorithm restrictions, signature, request method and URI, nonce when supplied, and acceptable creation time.
Reject requests containing more than one DPoP header or a DPoP header value that is not one well-formed JWT.
Do not accept a DPoP jwk containing private key material.
Do not use or accept the DPoP authentication scheme through Proxy-Authenticate or Proxy-Authorization.
When a request included an access token but failed DPoP authentication, include an error parameter in the challenge and advertise acceptable proof algorithms using algs.
Ignore unknown authentication parameters in DPoP challenges.
Apply syntax-based and scheme-based URI normalization before comparing htu values.
Accept DPoP proofs only within a limited validity window after creation.
A protected resource supporting both DPoP and Bearer must reject a DPoP-bound token presented using the Bearer scheme.
Generate a new DPoP proof when retrying an idempotent protected-resource request after a transient HTTP error.
Treat dpop_signing_alg_values_supported as authorization server metadata and dpop_bound_access_tokens as client registration metadata.
The OAuth Access Token Types registration for DPoP has HTTP authentication scheme DPoP and no additional token endpoint response parameters.
Security Notes
RFC 9449 - Section 11.1
A captured DPoP proof can be replayed at the same endpoint. Servers must limit the time for which proofs are accepted; tracking jti values and rejecting duplicates can provide stronger replay protection where shared state is feasible.
RFC 9449 - Section 7
The ath claim binds a proof to one access-token value, preventing substitution between different or rotated access tokens, but it does not by itself prevent proof replay or bind the proof to the request method and URI.
Reference
Details
- Entry Id
DPoP- Name
DPoP- Http Authentication Scheme
DPoP- Change Controller
IETF- Reference
RFC9449