DPoP: promote from preview to supported #22311
Description
Description
DPoP is preview feature since Keycloak 23. The related epic for DPoP preview support is #21916
This task is about promote DPoP to supported. We can wait for the feedback from the community if something is reported in Keycloak 23. Also we can consider if we should improve something (EG. extract DPoP a bit more from the core classes and plug it as independent extension through client policies).
Discussion
#21916 (See the other discussions linked from this epic).
Tasks
- [DPoP] token_type on UserInfoEndpoint expects Bearer instead of DPoP #30181
- Support DPoP dynamically for all grant-types #30179
- Keycloak needs to return "invalid_request" from Token Endpoint if a token or refresh request lacks DPOP proof #34842
- Make sure DPoP is passing with official OIDC testsuite #31970
- Authorization Code Binding to a DPoP Key and DPoP with Pushed Authorization Requests #34990
- [DPoP] : /protocol/openid-connect/token throw error when DPOP feature not enabled on client #36261
- DPoP: Refresh token created with DPoP can be refreshed without proof #36475
- DPoP: User Info Endpoint authorization type mismatch #36476
- When calling the user info endpoint, the DPoP is not bound to the access token #38333
- Revise DPoP Codes - refactor retrieveDPoPHeaderIfPresent method #39761
- Add FAPI 2.0 + DPoP security profile as default profile of client policies #35441
- Make sure Keycloak endpoints have DPoP validation #33942
- Could the list of supported DPoP algorithms be dynamically retrieved? #42030
- Minor enhancements in the DPoP related codebase #42031
- Support EdDSA for DPoP #42286
- Incorrect scheme in the WWW-Authenticate when Authorization: DPoP used #42706
- Possibility to enforce authorization code binding to DPoP #42740
- DPoP: Allow to only DPoP-bind refresh tokens and still issue access tokens of type Bearer #26277
- Polishing of client switch on DPoP #42746
- DPoP: documentation update #42728
- Switch DPoP feature to supported #42032