feat(DPoP): remove experimental flag, DPoP is now RFC9449

panva · panva · commit 89d133edf509 · 2023-09-08T08:44:21.000+02:00
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ _Note that not all features are enabled by default, check the configuration sect
 - [`RFC9101` - OAuth 2.0 JWT-Secured Authorization Request (`JAR`)][jar]
 - [`RFC9126` - OAuth 2.0 Pushed Authorization Requests (`PAR`)][par]
 - [`RFC9207` - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp]
+- [`RFC9449` - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)][dpop]
 - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (`FAPI 1.0`)][fapi]
 - [JWT Secured Authorization Response Mode for OAuth 2.0 (`JARM`)][jarm]
 - [OIDC Client Initiated Backchannel Authentication Flow (`CIBA`)][ciba]
@@ -48,7 +49,6 @@ The following draft specifications are implemented by oidc-provider:
 
 - [JWT Response for OAuth Token Introspection - draft 10][jwt-introspection]
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (`FAPI-CIBA`) - Implementer's Draft 01][fapi-ciba]
-- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) - draft 11][dpop]
 
 Updates to draft specification versions are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -129,7 +129,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [jwt-introspection]: https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10
 [sponsor-auth0]: https://a0.to/try-auth0
 [mtls]: https://www.rfc-editor.org/rfc/rfc8705.html
-[dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-11
+[dpop]: https://www.rfc-editor.org/rfc/rfc9449.html
 [resource-indicators]: https://www.rfc-editor.org/rfc/rfc8707.html
 [jarm]: https://openid.net/specs/oauth-v2-jarm.html
 [jwt-at]: https://www.rfc-editor.org/rfc/rfc9068.html
diff --git a/docs/README.md b/docs/README.md
@@ -850,12 +850,9 @@ _**default value**_:
 
 ### features.dPoP
 
-[draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)  
+[`RFC9449`](https://www.rfc-editor.org/rfc/rfc9449.html) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)  
 
-Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation [here](https://www.npmjs.com/package/dpop).   
-  
-
-_**recommendation**_: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde `~` operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, [acknowledge](#features) the version and be notified of breaking changes as part of your CI.  
+Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation [here](https://www.npmjs.com/package/dpop).  
 
 
 _**default value**_:
diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -872,17 +872,11 @@ function makeDefaults() {
       /*
        * features.dPoP
        *
-       * title: [draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)
+       * title: [`RFC9449`](https://www.rfc-editor.org/rfc/rfc9449.html) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)
        *
        * description: Enables `DPoP` - mechanism for sender-constraining tokens via a
        * proof-of-possession mechanism on the application level. Browser DPoP proof generation
        * [here](https://www.npmjs.com/package/dpop).
-       *
-       * recommendation: Updates to draft specification versions are released as MINOR library versions,
-       * if you utilize these specification implementations consider using the tilde `~` operator
-       * in your package.json since breaking changes may be introduced as part of these version
-       * updates. Alternatively, [acknowledge](#features) the version and be notified of breaking
-       * changes as part of your CI.
        */
       dPoP: {
         enabled: false,
diff --git a/lib/helpers/features.js b/lib/helpers/features.js
@@ -5,6 +5,7 @@ export const STABLE = new Set([
   'clientCredentials',
   'deviceFlow',
   'devInteractions',
+  'dPoP',
   'encryption',
   'fapi',
   'introspection',
@@ -22,12 +23,6 @@ export const STABLE = new Set([
 ]);
 
 export const DRAFTS = new Map(Object.entries({
-  dPoP: {
-    name: 'OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer - draft 11',
-    type: 'IETF OAuth Working Group draft',
-    url: 'https://tools.ietf.org/html/draft-ietf-oauth-dpop-11',
-    version: ['draft-11'],
-  },
   jwtIntrospection: {
     name: 'JWT Response for OAuth Token Introspection - draft 10',
     type: 'IETF OAuth Working Group draft',
