Inspired by a question from @thisismissem.social, I wrote up a ... • Aaron Parecki

51°F

Inspired by a question from @thisismissem.social, I wrote up a document describing how to apply DPoP (RFC9449) to the OAuth Device Flow (RFC8628).

https://datatracker.ietf.org/doc/draft-parecki-oauth-dpop-device-flow/

Portland, Oregon, USA • 55°F

Sat, Sep 20, 2025 7:18am -07:00 #oauth #dpop #ietf

7 likes 3 reposts 1 reply
- Tim Chambers (Admin)
- Anton
- Jonas
- cthos
- Jonathan Yu
- darthmaim
- wakest
Have you written a response to this? Let me know the URL:
- "Musty Bits" McGee eigenmagic.net/users/arichtman
  
  @aaronpk so is the authorization server supposed to validate a client certificate before handing out the access token or is that up to the resource server or does the access token get returned encrypted with the bound public key?
  
  Sun, Jan 18, 2026 7:47pm -07:00

Posted in /notes using quill.p3k.io