Demonstration of Proof-of-possession


In the traditional mechanism, API access is allowed only if the access token presented by the client application is valid. However, if a mechanism of PoP (Proof of Possession) such as DPoP is employed, the API implementation additionally checks whether the client application presenting the access token is the valid owner of the access token (= whether the client application is the same one that the access token has been issued to). If the client is not the valid owner of the access token, the API access is rejected.

The DPOP Internet draft describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.


The only thing you can chose is the signing algorithms. There are no default algorithms.


What you have to do is to add a dpop section to an add_ons section in a client configuration.

'add_ons': {
    "dpop": {
        "function": "oidcrp.oauth2.add_on.dpop.add_support",
        "kwargs": {
            "signing_algorithms": ["ES256", "ES512"]