OAuth 2.0 Proof-of-Possession: Authorization Server to Client Key Distribution

Document Type Expired Internet-Draft (oauth WG)
Authors John Bradley  , Phil Hunt  , Michael Jones  , Hannes Tschofenig  , Mihaly Meszaros 
Last updated 2019-09-28 (latest revision 2019-03-27)
Replaces draft-bradley-oauth-pop-key-distribution
Stream Internet Engineering Task Force (IETF)
Intended RFC status Proposed Standard
Expired & archived
pdf htmlized bibtex
Stream WG state WG Document
Document shepherd Kepeng Li
IESG IESG state Expired
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Kepeng Li" <kepeng.lkp@alibaba-inc.com>

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


RFC 6750 specified the bearer token concept for securing access to protected resources. Bearer tokens need to be protected in transit as well as at rest. When a client requests access to a protected resource it hands-over the bearer token to the resource server. The OAuth 2.0 Proof-of-Possession security concept extends bearer token security and requires the client to demonstrate possession of a key when accessing a protected resource.


John Bradley (ve7jtb@ve7jtb.com)
Phil Hunt (phil.hunt@yahoo.com)
Michael Jones (mbj@microsoft.com)
Hannes Tschofenig (Hannes.Tschofenig@gmx.net)
Mihaly Meszaros (bakfitty@gmail.com)

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)