oauth2.dev

use_dpop_nonce

IETF

Registry Context

`use_dpop_nonce` tells a client that a server requires a nonce in the DPoP proof for a subsequent request.

Technical Summary

RFC 9449 registers `use_dpop_nonce` for token error responses and resource access error responses. Authorization servers use it in HTTP 400 token error responses, while resource servers use it in HTTP 401 DPoP authentication challenges, accompanied by a `DPoP-Nonce` header supplying the nonce.

When Used

When an authorization server or resource server requires a nonce in a DPoP proof, including when a previously supplied nonce does not match and a new nonce is supplied.

Normative Requirements

Clients

MUST
1

  1. RFC 9449 - Section 8.2

    use the newly supplied nonce for the next token request and all subsequent token requests until another nonce is supplied..

    Condition: after receiving a new nonce from the authorization server.

    The client MUST use the new nonce value supplied

Authorization servers

MUST NOT
1

  1. RFC 9449 - Section 8

    include more than one `DPoP-Nonce` header in an error response..

    Condition: when returning an error response containing a DPoP nonce.

    there MUST NOT be more than one DPoP-Nonce header

MUST
2

  1. RFC 9449 - Section 8

    ensure supplied nonce values are unpredictable..

    Condition: when supplying DPoP nonce values.

    Nonce values MUST be unpredictable.

  2. RFC 9449 - Section 8

    reject the request..

    Condition: when the DPoP proof's nonce claim does not exactly match a nonce recently supplied to the client.

    the authorization server MUST reject the request

MAY
3

  1. RFC 9449 - Section 8

    supply a nonce value for the client to include in DPoP proofs..

    An authorization server MAY supply a nonce value

  2. RFC 9449 - Section 8

    include a `DPoP-Nonce` HTTP header providing a new nonce for subsequent requests..

    Condition: in a rejection response for a nonce mismatch.

    The rejection response MAY include a DPoP-Nonce HTTP header

  3. RFC 9449 - Section 8.2

    supply a new nonce using a `DPoP-Nonce` HTTP response header..

    Condition: when supplying a replacement nonce in the same manner as the initial nonce.

    The authorization server MAY supply the new nonce

Servers

MUST NOT
1

  1. RFC 9449 - Section 11.3

    accept DPoP proofs that omit the nonce claim..

    Condition: when a DPoP nonce has been provided to the client.

    A server MUST NOT accept any DPoP proofs without the nonce claim

Validation Guidance

error

Reject a DPoP proof that omits the nonce claim after a nonce has been provided to the client.

error

Generate unpredictable DPoP nonce values.

error

Reject a request whose DPoP nonce does not exactly match a recently supplied nonce.

error

Do not emit more than one `DPoP-Nonce` header in an authorization-server error response.

error

Use a newly supplied authorization-server nonce for the next and subsequent token requests until another nonce is supplied.

info

A nonce-mismatch rejection may include a `DPoP-Nonce` header supplying a replacement nonce.

Security Notes

RFC 9449 - Section 11.3

Once a DPoP nonce has been provided, accepting proofs without a nonce claim would permit a nonce downgrade and is prohibited.

Reference

RFC9449

Details

Entry Id
use_dpop_nonce
Name
use_dpop_nonce
Usage Location
token error response, resource access error response
Protocol Extension
Demonstrating Proof of Possession (DPoP)
Change Controller
IETF
Reference
RFC9449