This document defines an application-level sender-constraint mechanism for OAuth 2.0 access tokens and refresh tokens that can be applied when neither mTLS nor OAuth Token Binding are utilized. It achieves proof-of-possession using a public/private key pair.
Written in markdown for the mmark processor.
From the root of this repository, run
docker run -v `pwd`:/data danielfett/markdown2rfc main.md(see https://github.com/oauthstuff/markdown2rfc)
compile using mmark and xml2rfc: mmark main.md > draft.xml; xml2rfc --html draft.xml