A personal account of the rich and sometimes troubled history of proof-of-possession tokens in OAuth with a focus on DPoP—our last best hope for strong cryptographic defenses against the use of stolen tokens. Tokens which, as mostly bearer tokens today, are an increasingly attractive target to adversaries as user credentials themselves become harder to compromise with MFA/FIDO/etc.


RSAC 2023 brought together thousands of cybersecurity professionals for four incredible days of expert perspectives, groundbreaking innovation, and best practices. 

DPoP and the Burden of Proof: Negating the Threat of Stolen OAuth Tokens

Conference: RSA Conference 2023

Authors: Brian Campbell

Abstract

Post a comment

Related work

Defending against chained attacks on your SSO/OAuth identity system

New Phishing Attacks Exploiting OAuth Authentication Flows

Detecting Malicious PyPi Packages With Semgrep