OAuth DPoP detail
RFC 9449 application-layer token-binding.
Definition
DPoP uses DPoP HTTP header with signed JWT including htm (HTTP method), htu (HTTP URI), iat (timestamp), jti (unique ID), public key in JWK header. Authorization server issues access token containing cnf (confirmation) with thumbprint of the public key, bound to the DPoP proof. RS validates the DPoP JWT on each request.
Origin
IETF OAuth WG, draft 2019, RFC 9449 published September 2023.
Usage
Adopted by FAPI 2.0, banks Open Banking (UK Open Banking 4.0, FAPI 2.0 implementations). Legacy alternative to mTLS Sender-Constrained Tokens.
Related terms
- OAuth 2.0 — standard parent.
- FAPI 2.0 — cas usage flagship.
- mTLS Sender-Constrained — alternative.