DPoP and the Burden of Proof: Negating the Threat of Stolen OAuth Tokens

Posted on in Presentations

A personal account of the rich and sometimes troubled history of proof-of-possession tokens in OAuth with a focus on DPoP—our last best hope for strong cryptographic defenses against the use of stolen tokens. Tokens which, as mostly bearer tokens today, are an increasingly attractive target to adversaries as user credentials themselves become harder to compromise with MFA/FIDO/etc.

Brian Campbell


Distinguished Engineer, Ping Identity

Share With Your Community