Session Title: Understanding the Power of OAuth DPoP (Demonstration of Proof of Possession)
Speakers: Pieter Kasselman, Program Manager, Microsoft; Michael Jones, Identity Standards Architect, Microsoft
Date: Thursday, June 23, 2022
Location: Denver, CO

Description: Most OAuth deployments today use bearer tokens: tokens that can be used by anyone in possession of a copy of them, with no way to distinguish between legitimate uses of them and those that stole them and used them for nefarious purposes. The solution to this is proof-of-possession tokens, where the legitimate client supplies cryptographic material to the issuer that is bound to the token, enabling it to cryptographically prove that the token belongs to it, something attackers cannot do because they don’t possess the proof-of-possession cryptographic material.

The OAuth DPoP (Demonstration of Proof of Possession) specification defines a simple-to-implement means of applying proof of possession to OAuth access tokens and refresh tokens. In this session, we will describe real attacks occurring every day against bearer tokens and how they are mitigated by DPoP, providing in-depth defense and making real deployed systems substantially more secure with minimal implementation and complexity costs.