« All Articles

OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer

Abstract: This document defines an application-level sender-constraint mechanism for OAuth 2.0 access tokens and refresh tokens that can be applied when neither mTLS nor OAuth Token Binding are utilized. It achieves proof-of-possession using a public/private key pair.