Is there a plan to implement RFC 9449 (DPoP: Demonstrating Proof of Possession)

[ghiyastfarisi]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Right now, the OIDC system doesn’t have a way to prove that a token is being used by the person who owns it. Since RFC 9449 (DPoP) is now a standard, adding it to OIDC would make the system more secure by preventing token misuse.

Describe your ideal solution

The ideal solution is to implement RFC 9449 (DPoP) in OIDC. This would allow the client to prove they own the token by signing each request with a key. It adds an extra layer of security by making sure tokens can’t be reused or stolen easily.

Workarounds or alternatives

Right now, we use other methods like Mutual TLS or token binding, but these are more complicated and less flexible than DPoP. Adding DPoP would simplify things and improve security.

Version

Latest

Additional Context

No response

[vivshankar]

We have an implementation available that I will be happy to contribute. However, given other PRs related to standards have remained open for a very long time, I am reluctant to invest the time unless there is engagement from the core team.

[aeneasr]

We are happy to invest time in review and improvement but need a commercial case for it given how much other work we have. Right now there is no one interested in this commercially.

@vivshankar if you want you can pull up the PR and once we have such a case we‘ll invest the time it needs.

See device auth grant, this is finally making it to master soon because we have a commercial case for it finally :) If you have a commercial case (support/enterprise license) please reach out here: www.ory.sh/contact