I find it weird that the speaker says they don't recommend using DPoP in the browser when the DPoP draft literally states that the primary audience of DPoP is public clients! Moreover, the speaker also made a mistake by saying that refresh tokens also require PoP, this is funnily enough only true if the client is public (i.e. a browser based client).Refresh tokens are already bound to confidential clients as they have to authenticate themselves every time they present a refresh token to the AS (using client_id and client_secret for example). I mean, if you think about it, confidential clients have much less risk of token leakage anyways (refresh tokens are bound and access tokens are short lived and both are stored safely in some database on the server side) So, the trouble of DPoP seems to be really only worth it in the context of public clients such as browser, mobile and native apps Otherwise the talk is pretty good at explaining what DPoP is.
Fast forward to the last 45seconds of the talk where a question from the audience surfaces the fact this entire presentation isnt at all applicable to browser based scenarios. I'm not sure what scenario this talk is actually relevant to for most webdevs in that case. I had been watching along thinking this would remove the need for BFFs.
I find it weird that the speaker says they don't recommend using DPoP in the browser when the DPoP draft literally states that the primary audience of DPoP is public clients! Moreover, the speaker also made a mistake by saying that refresh tokens also require PoP, this is funnily enough only true if the client is public (i.e. a browser based client).Refresh tokens are already bound to confidential clients as they have to authenticate themselves every time they present a refresh token to the AS (using client_id and client_secret for example).
I mean, if you think about it, confidential clients have much less risk of token leakage anyways (refresh tokens are bound and access tokens are short lived and both are stored safely in some database on the server side) So, the trouble of DPoP seems to be really only worth it in the context of public clients such as browser, mobile and native apps
Otherwise the talk is pretty good at explaining what DPoP is.
/ouath-2-0-and-the-road-to-hell/ 😂
Fast forward to the last 45seconds of the talk where a question from the audience surfaces the fact this entire presentation isnt at all applicable to browser based scenarios. I'm not sure what scenario this talk is actually relevant to for most webdevs in that case. I had been watching along thinking this would remove the need for BFFs.
😊
😊😊
😊😊😊😊😊😊😊😊😊😊😊😊😊😊😊
😊
Ignore ivantrolls. Your question is relevant.