OAuth and Proof of Possession - The long way round

One of the most controversial decisions around OAuth 2.0 was the omission of a mechanism to cryptographically bind access tokens to their owners.

In favor of simplicity, only the Bearer token type was specified with the firm plan to add proof of possession at a later point. Turns out the problem was harder than expected and for the better part of the following decade there was no solution.

Today multiple industries and verticals require that extra security feature and there are now two standard ways how to achieve sender constraining. This talk looks at the history of proof of possession and the ways to implement it today using MTLS, or - the new kid on the block: DPoP.

This talk discusses what OAuth proof of possession access tokens are, why they are important for certain scenarios, and how to implement them using either at the transport or application level.