Feature Request - Implement support for OAuth 2.0 - Demonstrated Proof of Possession (DPoP).

Summary / Problem

Glean's current authentication mechanisms rely on standard bearer tokens. If an access token is leaked or compromised, an attacker can use it directly, leading to token misuse. This is a common vulnerability for standard OAuth 2.0 bearer tokens.

Proposed Solution

Implement support for the Demonstrated Proof of Possession (DPoP) standard (RFC 9449) across Glean's authentication services.

This involves:

Allowing clients to present a DPoP proof during the token request process.
Binding the issued access token to the client's public key specified in the DPoP proof.
Requiring and validating the DPoP proof on all subsequent API calls made to Glean using the bound token.

Justification

Implementing DPoP significantly enhances security by cryptographically binding an access token to the client that requested it. This ensures that even if an access token is intercepted, it can only be used by the legitimate client who holds the corresponding private key, effectively preventing misuse of compromised tokens.

External Reference

DPoP Specification: https://oauth.net/2/dpop/

Find more posts tagged with

Active

Feedback and Ideas

Status: Active

Welcome!

It looks like you're new here. Sign in or register to see or post comments, upvote, and react.

Getting Started

Events

Help Center

glean.com