Using DPOP token to achieve MTLS in Mobile Application

[51j0]

Traditionally, API access is allowed only if the access token presented by the client application is valid. By using a PoP (Proof of Possession) such as DPoP, the API implementation will additionally check whether the client application presenting the access token is the valid owner of the access token. If the client is not the valid owner of the access token, the API access is rejected. Implementing this mobile app can prevent itself from stolen token misuse,

Ref: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop

[cpholguera]

Some more related links:

• https://darutk.medium.com/illustrated-dpop-oauth-access-token-security-enhancement-801680d761ff
• https://curity.io/resources/learn/authentication-api-android-sdk/