Open
Description
Description
DPoP is preview feature since Keycloak 23. The related epic for DPoP preview support is #21916
This task is about promote DPoP to supported. We can wait for the feedback from the community if something is reported in Keycloak 23. Also we can consider if we should improve something (EG. extract DPoP a bit more from the core classes and plug it as independent extension through client policies).
Discussion
#21916 (See the other discussions linked from this epic).
Tasks
- [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP #30181
- Support DPoP dynamically for all grant-types #30179
- Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof #34842
- Make sure DPoP is passing with official OIDC testsuite #31970
- Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests #34990
- [DPoP] : /protocol/openid-connect/token throw error when DPOP feature not enabled on client #36261
- DPoP: Refresh token created with DPoP can be refreshed without proof #36475
- DPoP: User Info Endpoint authorization type mismatch #36476
- When calling the user info endpoint, the DPoP is not bound to the access token #38333
- Revise DPoP Codes - refactor retrieveDPoPHeaderIfPresent method #39761
- Fully decouple DPoP from TokenEndpoint and TokenManager if possible #21921
- DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer #26277
- Make sure Keycloak endpoints have DPoP validation #33942
- Add FAPI 2.0 + DPoP security profile as default profile of client policies #35441
- [DPoP] Implementing DPoP nonce #39042