IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

ISVA use of RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)

  • 1.  ISVA use of RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)

    Posted Tue September 12, 2023 08:57 AM

    Now that DPoP is gaining traction, are there any out of the box solutions available or planned?  Or has anyone successfully implemented the standard?  @Shane Weeden I know a good while back you had mentioned DPoP when it was a draft, and I thought you had mentioned you had prototyped something.  I'm curious if you have had time to write anything up on your blog pertaining to it.

    A couple years ago, I successfully implemented RFC8705 (requiring use of mapping rules and webseal user mapping rules to populate a header with the cert data).  I haven't read through the detail of the DPoP proposed standard, but I presume it should be possible and similar to implementing RFC8705 for certificate bound access tokens.

    Thanks!

    Matt

    Reference:

    https://www.rfc-editor.org/rfc/rfc9449.html



    ------------------------------
    Matt Jenkins
    ------------------------------


  • 2.  RE: ISVA use of RFC 9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP)

    Posted Wed September 13, 2023 04:40 PM

    Hey Matt, 

    I'm not sure if this is exactly what you're looking for, but here is our formal documentation on DPoP support in our OIDC OP. 

    https://docs.verify.ibm.com/ibm-security-verify-access/docs/oauth2-dpop#dpop-bound-tokens

    But take a look at this, and let me know if you have subsequent questions. 


    Regards, 
    Philip



    ------------------------------
    Philip Nye
    IBM
    Gold Coast
    ------------------------------

    Original Message


Related Content