Closed PieterKas closed 8 months ago
Commented over in https://github.com/aaronpk/oauth-first-party-apps/issues/47 that I think the single method of the DPoP proof header is sufficient and preferred.
I would tend to agree that we should stick with only the header option for DPoP.
I'm good with that. Will create a PR to reflect this.
On Fri 23 Feb 2024, 16:24 Aaron Parecki, @.***> wrote:
I would tend to agree that we should stick with only the header option for DPoP.
— Reply to this email directly, view it on GitHub https://github.com/aaronpk/oauth-first-party-apps/pull/59#issuecomment-1961626126, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVT5JWNVDSOA2S7ALO24S2TYVC7FHAVCNFSM6AAAAABDPTPJPGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNRRGYZDMMJSGY . You are receiving this because you authored the thread.Message ID: @.***>
@bc-pi and @aaronpk, I made the changes. please review and feel free to merge if ready.
Proposed update based on feedback in issue #47
Open question for reviewers (and @bc_pi) whether we should allow both or only a single method, and if a single methods should we opt for the least common denominator (dpop_jkt) or an authorization challenge endpoint specific one?