dpop_ bound_ access_ tokens
Registry Context
This client metadata flag indicates whether the client always uses DPoP for token requests. When set to true, the authorization server must reject token requests from that client that omit the DPoP header.
Technical Summary
RFC 9449 defines dpop_bound_access_tokens as a boolean client registration metadata parameter specifying whether the client always uses DPoP for token requests. Its default value is false. When true, the authorization server must reject token requests from the client that do not contain the DPoP header.
When Used
Use this client metadata in dynamic registration or other client configuration mechanisms to indicate that the client always uses DPoP for token requests.
Normative Requirements
Authorization servers
RFC 9449 - Section 5.2
reject token requests from the client that do not contain the DPoP header.
Condition: when dpop_bound_access_tokens is true
If the value is true, the authorization server MUST reject token requests from the client that do not contain the DPoP header.
Validation Guidance
When dpop_bound_access_tokens is true, verify that the authorization server rejects token requests from that client that omit the DPoP header.
Interpret an omitted dpop_bound_access_tokens value as false.
Security Notes
RFC 9449 - Section 5.2
When this metadata is true, the authorization server enforces the presence of a DPoP header on the client's token requests.
Reference
Details
- Entry Id
dpop_bound_ access_ tokens - Client Metadata Name
dpop_bound_ access_ tokens - Client Metadata Description
Boolean value specifying whether the client always uses DPoP for token requests- Change Controller
IETF- Reference
RFC9449 - Section 5.2