OAuth is a token-based authentication and authorization that can allow third party access to what you own without sharing your identity. It was a pleasure for us to attend Vancouver Digital Identity Meetup on August 6, 2019; and enjoyed Sascha Preibisch’s presentation about OAuth 2.0 – Demonstration of Proof-of-Possession (DPOP).

Sascha addressed some disadvantages of existing protocols (HMAC, Mutual TLS Client Authentication, Token binding) such as:

  • Complicated to implement
  • Complexity
  • Not supporting

DPOP is not a new idea, the main goal is to “Ensure the token being presented is owned by the presenter” according to Sascha. Some of the DPOP’s advantages and benefits are:

  • Lightweight
  • Update on application only
  • Reuse existing libraries and tools
  • Leverages current standards: JWT, JWS, JWK
  • Non-invasive addition to OAuth
  • Enriches OAuth security mode
  • Supports public and confidential clients

For more information please visit DPOP.