OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution

Document Type Replaced Internet-Draft (individual)
Last updated 2015-10-14 (latest revision 2014-06-26)
Replaced by draft-ietf-oauth-pop-key-distribution
Stream IETF
Intended RFC status Proposed Standard
Expired & archived
pdf htmlized (tools) htmlized bibtex
Stream WG state Adopted by a WG
Document shepherd No shepherd assigned
IESG IESG state Replaced by draft-ietf-oauth-pop-key-distribution
Consensus Boilerplate Unknown
Telechat date
Responsible AD Kathleen Moriarty
Send notices to oauth-chairs@ietf.org

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource. This document describes how the client obtains this keying material from the authorization server.


John Bradley (ve7jtb@ve7jtb.com)
Phil Hunt (phil.hunt@yahoo.com)
Michael Jones (mbj@microsoft.com)
Hannes Tschofenig (Hannes.Tschofenig@gmx.net)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)