| Internet-Draft | dpop-proof | September 2025 |
| Nandakumar & Jennings | Expires 20 March 2026 | [Page] |
This document describes a generic framework for Demonstrating Proof of Possession (DPoP) that extends beyond HTTP-specific implementations. Building upon RFC 9449, this framework provides a protocol-agnostic approach for sender-constraining tokens through cryptographic proof of possession, enabling secure token binding across various application protocols and contexts.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://oauth-wg.github.io/oauth-dpop-generic/draft-generic-dpop-framework.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-nandakumar-oauth-dpop-proof/.¶
Discussion of this document takes place on the OAuth Working Group Working Group mailing list (mailto:oauth@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/oauth/. Subscribe at https://www.ietf.org/mailman/listinfo/oauth/.¶
Source for this draft and an issue tracker can be found at https://github.com/oauth-wg/oauth-dpop-generic.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 20 March 2026.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
RFC 9449 [RFC9449] defines a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. DPoP as defined in RFC 9449 has two separable parts: the first part (covered in sections 4, 5, 6, and 8) describes how a client obtains a DPoP-bound token from an authorization server, while the second part (covered in sections 7 and 9) describes how the client proves control of the private key associated with a DPoP token when accessing protected resources.¶
This specification defines bindings for Media Over QUIC Transport (MOQT) and presents a generic framework that abstracts the core concepts of DPoP into a protocol-agnostic approach. While keeping the first part unchanged, this framework generalizes the second part to enable proof-of-possession token binding for various application contexts beyond HTTP while maintaining the security properties established in RFC 9449.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The terms "access token", "refresh token", "authorization server", "resource server", "client", and "public client" are defined by "The OAuth 2.0 Authorization Framework" [RFC6749].¶
The terms "JSON Web Token (JWT)", "JOSE Header", and "JWS" are defined in [RFC7519] and [RFC7515].¶
The protocol which uses DPoP tokens as proof of authorization. This may be HTTP (as in RFC 9449) or any other application-layer protocol that requires proof-of-possession token binding.¶
The Generic DPoP Framework extends the DPoP mechanism to work across various application protocols beyond HTTP. The basic flow involves a client obtaining a DPoP-bound token from an authorization server, then using that token with an application protocol by providing proof of possession of the associated private key.¶
+--------+ +---------------+ | |--(A)-- Token Request ------------------->| | | Client | (Generic DPoP Proof) | Authorization | | | | Server | | |<-(B)-- DPoP-Bound Access Token ----------| | | | (token_type=DPoP) +---------------+ | | | | | | +---------------+ | |--(C)-- Application Protocol Request --->| | | Client | (DPoP-Bound Access Token + | Application | | | Generic DPoP Proof with | Protocol | | | Binding Fields) | Server | | |<-(D)-- Application Protocol Response ---| | +--------+ +---------------+
The main data structure introduced by this specification is a generic DPoP proof JWT that can be used across various application protocols and contexts, as described in detail below. A client uses a generic DPoP proof JWT to prove the possession of a private key corresponding to a certain public key.¶
Roughly speaking, a generic DPoP proof is a signature over:¶
protocol-specific authorization context data,¶
a timestamp,¶
a unique identifier,¶
an optional server-provided nonce, and¶
a hash of the associated access token when an access token is present within the request.¶
The application protocol needs to define binding fields that make the proof JWT
unique to a specific protocol interaction. These binding fields replace the
HTTP method (htm) and HTTP URI (htu) fields used in RFC 9449, providing
protocol-specific context that prevents replay attacks across different
protocol operations.¶
Key aspects of the protocol:¶
Token Acquisition (Steps A-B): Uses the same mechanism as RFC 9449 sections 4, 5, 6, and 8¶
Proof of Possession (Steps C-D): Generalizes RFC 9449 sections 7 and 9 with protocol-specific binding fields¶
Binding Fields: Each application protocol must define how to bind the proof to specific protocol operations to ensure uniqueness¶
The basic steps of a protocol flow with generic DPoP (without the optional nonce) are shown in Figure 1.¶
A. In the token request, the client sends an authorization grant (e.g., an authorization code, refresh token, etc.) to the authorization server in order to obtain an access token (and potentially a refresh token). The client attaches a generic DPoP proof to the request.¶
B. The authorization server binds (sender-constrains) the access token to the public key claimed by the client in the DPoP proof; that is, the access token cannot be used without proving possession of the respective private key. If a refresh token is issued to a public client, it is also bound to the public key of the DPoP proof.¶
C. To use the access token, the client has to prove possession of the private key by, again, providing a generic DPoP proof for that request to the protocol server. The protocol server needs to receive information about the public key to which the access token is bound. This information may be encoded directly into the access token (for JWT-structured access tokens) or provided via token introspection endpoint (not shown). The protocol server verifies that the public key to which the access token is bound matches the public key of the DPoP proof. It also verifies that the access token hash in the DPoP proof matches the access token presented in the request.¶
D. The protocol server refuses to serve the request if the signature check fails or if the data in the DPoP proof is wrong, e.g., the authorization context does not match the expected context for the protocol operation. The access token itself, of course, must also be valid in all other respects.¶
The generic DPoP mechanism presented herein is not a client authentication method. In fact, a primary use case of DPoP is for public clients (e.g., single-page applications and applications on a user's device) that do not use client authentication. Nonetheless, generic DPoP is designed to be compatible with private_key_jwt and all other client authentication methods.¶
Generic DPoP does not directly ensure message integrity, but it relies on the underlying transport security layer (such as TLS) for that purpose. See Section 8 for details.¶
Application protocols that wish to use this generic DPoP framework MUST define the following elements to ensure secure proof-of-possession token binding:¶
Each application protocol MUST specify:¶
Required Binding Fields: The mandatory fields within the Authorization
Context (actx) object that uniquely identify and bind the proof to a
specific protocol operation¶
Field Semantics: Clear definitions of what each binding field represents and how it relates to protocol messages and operations¶
Uniqueness Requirements: How the combination of binding fields ensures that each proof is unique to a specific protocol interaction¶
Application protocols SHOULD provide a mechanism for servers to supply nonces to clients for replay protection, similar to Section 9 of RFC 9449. When nonce support is provided, the protocol specification MUST define:¶
Application protocol specifications MUST include:¶
Replay Attack Prevention: How the binding fields prevent replay of proofs across different protocol operations¶
Cross-Protocol Security: Measures to prevent proofs from being valid across different application protocols¶
Protocol-Specific Threat Model: Analysis of security threats specific to the application protocol context¶
For illustration, an application protocol might define binding fields such as:¶
operation: The specific protocol operation being authorized¶
resource_identifier: A unique identifier for the resource being accessed¶
timestamp_context: Protocol-specific temporal context information¶
The combination of these fields would ensure that a DPoP proof is valid only for the specific operation, resource, and temporal context for which it was generated.¶
This proof structure has the same general structure as a standard DPoP proof
as defined in RFC 9449, with the key difference being that the HTTP-specific
claims (htm for HTTP method and htu for HTTP URI) are replaced with the
Authorization Context (actx) object to provide application protocol-specific
binding information.¶
The JWT header for a generic DPoP proof MUST contain the same elements as specified in [RFC9449]:¶
This framework establishes a registry for protocol type identifiers used in
the actx.type field. Each registered type MUST specify:¶
The additional required and optional fields for the Authorization Context¶
The semantic meaning and validation rules for those fields¶
Security considerations specific to the protocol context¶
Examples of usage¶
This section defines the normative authorization context for Media Over QUIC (MOQ) as specified in this framework.¶
Type Identifier: "moq"¶
The MOQ authorization context MUST contain the following fields:¶
action:¶
A string specifying the MOQ operation (Section 9 of [MOQTransport] being authorized.¶
tns:¶
Track Namespace as defined in Section 2.4.1 of [MOQTransport].¶
The MOQ authorization context MAY contain the following fields:¶
tn:¶
Track Name as defined in Section 2.4.1 of [MOQTransport].¶
parameters:¶
An object containing additional MOQ-specific parameters relevant to the operation. The structure and contents of this field are context-dependent.¶
As defined in Section 2.4.1 of [MOQTransport], Track Namespace is an ordered N-tuple of bytes (where N can be between 1 and 32), and Track Name is a sequence of bytes. Both are not constrained to specific encoding and carry arbitrary byte sequences that are compared by exact byte matching.¶
For representation in the JSON tns and tn fields of the Authorization
Context, the following encoding approach MUST be used:¶
Track Namespace Tuple Encoding: The Track Namespace tuple MUST be encoded as a URL-safe string where:¶
Track Name Encoding: The Track Name bytes MUST be base64url-encoded (without padding) when containing non-printable bytes or when exact byte preservation is required¶
TODO: A better way to encode that promotes readability is being thought about¶
Example encodings:¶
Servers processing MOQ authorization contexts MUST:¶
Verify that the action field contains a recognized MOQ operation¶
Validate that the tns field represents a properly formatted track
namespace tuple encoding as specified above¶
If present, validate that the tn field contains properly encoded track
name bytes¶
Ensure the requested action is permitted for the specified track namespace tuple¶
If present, ensure the requested action is permitted for the specified track name¶
If present, validate any parameters according to usage context¶
This section provides complete examples of application-agnostic DPoP proof JWTs, illustrating the use of the Authorization Context object in place of HTTP-specific claims.¶
The following example shows a complete DPoP proof JWT for a MOQ context:¶
JWT Header:¶
{
"typ": "dpop-proof+jwt",
"alg": "ES256",
"jwk": {
"kty": "EC",
"x": "l8tFrhx-34tV3hRICRDY9zCkDlpBhF42UQUfWVAWBFs",
"y": "9VE4jf_Ok_o64zbTTlcuNJajHmt6v9TDVrU0CdvGRDA",
"crv": "P-256"
}
}
¶
JWT Payload:¶
{
"jti": "unique-request-id-789",
"iat": 1705123456,
"actx": {
"type": "moq",
"action": "SUBSCRIBE",
"tns": "moq://example.com/app/scope/video",
"tn": "camera1"
},
"ath": "fUHyO2r2Z3DZ53EsNrWBb1xWXM4VbCqpW5G-o9GqC7Y"
}
¶
For comparison, an equivalent HTTP DPoP proof would contain htm and htu
claims instead of the actx object:¶
{
"jti": "unique-request-id-789",
"iat": 1705123456,
"htm": "POST",
"htu": "https://media.example.com/subscribe",
"ath": "fUHyO2r2Z3DZ53EsNrWBb1xWXM4VbCqpW5G-o9GqC7Y"
}
¶
The key difference is that the application-agnostic framework uses the actx object to
provide protocol-specific authorization context, while HTTP DPoP uses htm and
htu for HTTP method and URI.¶
This framework extends and generalizes the concepts defined in RFC 9449 [RFC9449] while maintaining full backward compatibility with HTTP-based DPoP implementations.¶
RFC 9449 Section 7 defines protected resource access specifically for HTTP contexts. This framework extends those concepts to support non-HTTP protocols while preserving the core security model.¶
Authorization Context vs HTTP Parameters: Instead of requiring htm
(HTTP method) and htu (HTTP URI) claims, this framework uses the
Authorization Context (actx) object to specify protocol-specific request
context.¶
Protocol-Agnostic Token Binding: While RFC 9449 Section 7.1 defines the DPoP authentication scheme for HTTP Authorization headers, this framework enables token binding for protocols that may not use HTTP-style headers.¶
Flexible Proof Validation: The validation rules in RFC 9449 Section
4.3 are adapted to work with the actx object rather than HTTP-specific
claims, allowing servers to validate proofs according to their protocol
requirements.¶
This framework is designed to coexist with RFC 9449 implementations:¶
HTTP-based DPoP proofs continue to work unchanged using htm and htu
claims¶
Generic DPoP proofs use the actx object for non-HTTP contexts¶
The same key pairs and token binding mechanisms apply to both approaches¶
Authorization servers MAY support both HTTP and generic DPoP proof formats simultaneously¶
Existing RFC 9449 implementations can adopt this framework incrementally:¶
HTTP-Only Phase: Continue using standard RFC 9449 DPoP for HTTP resources¶
Hybrid Phase: Support both HTTP DPoP (with htm/htu) and generic
DPoP (with actx)¶
Generic Phase: Migrate to using Authorization Context objects for all protocols, including HTTP¶
The typ header value dpop-proof+jwt (instead of dpop+jwt) signals
support for the generic framework while maintaining the same cryptographic
properties and security model.¶
This framework inherits all security considerations from [RFC9449]. Additional considerations specific to the generic framework include:¶
Servers MUST validate that the actx.type field corresponds to a registered
and supported context type. Unknown or unsupported context types MUST be
rejected.¶
Each registered context type MUST specify its own security requirements and threat model. The generic framework does not impose additional security properties beyond those provided by the underlying JWT signature.¶
DPoP tokens bound using this framework SHOULD be validated only within their intended context type. Servers MUST NOT accept a DPoP proof with one context type as valid for a different context type.¶
Clients MUST use different DPoP proofs for different applications. This separation ensures that a DPoP proof generated for one application protocol cannot be reused or replayed in the context of another application protocol. Implementations SHOULD enforce this by:¶
Distinct Key Pairs: Using separate key pairs for different application protocols where feasible¶
Context-Specific Binding: Ensuring that Authorization Context (actx)
objects contain fields that uniquely identify the application protocol¶
Proof Validation: Rejecting proofs that contain context information from other application protocols¶
This requirement prevents cross-application attacks where an attacker might attempt to use a valid DPoP proof from one application context in a different application context.¶
This document registers the following JWT claim in the "JSON Web Token Claims" registry:¶
Claim Name: actx¶
Claim Description: Authorization Context Object¶
Claim Value Type: Object¶
Change Controller: IETF¶
Specification Document: This document, Section 4.1¶
This document registers the "application/dpop-proof+jwt" media type for generic DPoP proof JWTs in the "Media Types" registry.¶
Type Name: application¶
Subtype Name: dpop-proof+jwt¶
Required Parameters: none¶
Optional Parameters: none¶
Encoding Considerations: Binary; base64url encoding of JWT¶
Security Considerations: See Section 8 of this document¶
Interoperability Considerations: Multi-Protocol DPoP proofs extend HTTP-specific DPoP while maintaining backward compatibility¶
Published Specification: This document Applications that use this media type: Applications implementing generic DPoP authorization¶
Fragment Identifier Considerations: none¶
Additional Information: none¶
Person and email address to contact: OAuth Working Group oauth@ietf.org¶
Intended Usage: COMMON¶
Restrictions on Usage: none¶
Author: OAuth Working Group¶
Change Controller: IETF¶
Thanks for Richard Barnes for the reviews and suggestions on the protocol context design.¶