oauth2.dev

dpop_bound_access_tokens

IETF

Registry Context

This client metadata flag indicates whether the client always uses DPoP for token requests. When set to true, the authorization server must reject token requests from that client that omit the DPoP header.

Technical Summary

RFC 9449 defines dpop_bound_access_tokens as a boolean client registration metadata parameter specifying whether the client always uses DPoP for token requests. Its default value is false. When true, the authorization server must reject token requests from the client that do not contain the DPoP header.

When Used

Use this client metadata in dynamic registration or other client configuration mechanisms to indicate that the client always uses DPoP for token requests.

Normative Requirements

Authorization servers

MUST
1
  1. RFC 9449 - Section 5.2

    reject token requests from the client that do not contain the DPoP header.

    Condition: when dpop_bound_access_tokens is true

    If the value is true, the authorization server MUST reject token requests from the client that do not contain the DPoP header.

Validation Guidance

error

When dpop_bound_access_tokens is true, verify that the authorization server rejects token requests from that client that omit the DPoP header.

info

Interpret an omitted dpop_bound_access_tokens value as false.

Security Notes

RFC 9449 - Section 5.2

When this metadata is true, the authorization server enforces the presence of a DPoP header on the client's token requests.

Reference

Details

Entry Id
dpop_bound_access_tokens
Client Metadata Name
dpop_bound_access_tokens
Client Metadata Description
Boolean value specifying whether the client always uses DPoP for token requests
Change Controller
IETF
Reference
RFC9449 - Section 5.2