SL1 - Require DPoP?

[aaronpk]

The current draft requires that access tokens are sender-constrained using DPoP.

However, the current SL1 draft also says that access tokens are only to be used to retrieve identity claims at the OP (the userinfo endpoint).

Given that access tokens in this profile can't be used to access other resources, does it make sense to drop the DPoP requirement?

[dhs-BI]

As discussed in the call on May 6, 2025, we will drop the requirement for using DPoP for access tokens used only to retrieve identity claims from the OP. These access tokens should not be used to access any other resources.

@aaronpk please update the draft and we can close this once the PR is merged.

[deansaxe]

I've made the changes and pushed a PR. @aaronpk please review.

openid/ipsie-openid-sl1#6

[shellcromancer]

If DPoP is not required for access tokens at SL-1, should it also be removed from the authorization code requirements? Currently the SL1 draft states this, but maybe that should be changed to SHOULD in the PR @deansaxe listed above?

• MUST support "Authorization Code Binding to DPoP Key" (as required by {{Section 10.1 of RFC9449}});

[aaronpk]

Yeah we should remove it from the authorization code entirely. The point of doing that is to bind the access token in the earliest possible part of the flow so it's irrelevant now

[deansaxe]

I will follow up on this shortly to make the changes.

[deansaxe]

I've made the changes, this issue is pending close after merging the updates.

[deansaxe]

@aaronpk please review and consider merging the change. Once merged this issue can be closed.