mooreds
commented
9 months ago This is now an RFC! https://www.rfc-editor.org/rfc/rfc9449.html
This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.
Support DPoP standard
Problem
I want token binding, don't want to use mtls (#1025).
Solution
Support DPoP: https://datatracker.ietf.org/doc/html/rfc9449
Alternatives/workarounds
n/a
Additional context
Interesting discussion about DPoP and the browser: https://stackoverflow.com/questions/75346332/no-reliable-way-enforce-dpop-in-the-browser
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.