Closed aaronpk closed 1 year ago
Without DPoP binding, device session values should be one-time use.
DPoP Section 4.2 defines the extension mechanism.
We can define a new parameter ash
(auth session hash) to include the hash of the auth_session
in the DPoP proof:
https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax
Do we need to have a DPoP parameter to bind the device session value?