2026-05-29 –, Arena
DPoP adoption is accelerating, but some use-cases are challenging the specification's initial design assumptions and choices. In this session, we will discuss some of the friction points we have experienced, and propose potential solutions.
DPoP has made design choices to allow easy integrations in the scope it was envisioned to be used, but the scenarios that people want to incorporate DPoP for are expanding and some of the initial design choices are creating problems. The two main problems we’ve faced are nonce fetching (requiring a somewhat correct request containing DPoP to create an error with a new nonce to use) and not using DPoP to also protect the HTTP request and only the token itself. Furthermore, people are exploring to use DPoP also to bind refresh_token, which was ruled out by the RFC.
Christian Bormann is an architect for digital identity and cryptography, currently working for the german EU Digital Identity Wallet project. With an MSc in Computer Science from RWTH Aachen focused on Distributed Systems, his career has centered on digital innovation in IoT and distributed systems, particularly digital identity and privacy-enhancing technologies. He is actively involved in international standardization efforts to enable secure and interoperable digital wallets.