Skip to content

Integrate PoP Mechanism under OAuth 2.0#1991

Open
ZMelliti wants to merge 1 commit intoOWASP:masterfrom
ZMelliti:oauth2-cheat-sheet-pop
Open

Integrate PoP Mechanism under OAuth 2.0#1991
ZMelliti wants to merge 1 commit intoOWASP:masterfrom
ZMelliti:oauth2-cheat-sheet-pop

Conversation

@ZMelliti
Copy link
Contributor

@ZMelliti ZMelliti commented Feb 2, 2026
edited
Loading

This Pull Request updates the OAuth2 reference sheet, specifically adding and clarifying Proof of Possession (PoP) mechanisms and the DPoP/mTLS comparison. The changes maintain the original structure and aim to improve readability and alignment with current security best practices.

This PR fixes issue #1962

Please make sure that for your contribution:

  • In case of a new Cheat Sheet, you have used the Cheat Sheet template.
  • All the markdown files do not raise any validation policy violation, see the policy.
  • All the markdown files follow these format rules.
  • All your assets are stored in the assets folder.
  • All the images used are in the PNG format.
  • Any references to websites have been formatted as [TEXT](URL)
  • You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
  • The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR fixes issue #<REPLACE WITH ISSUE NUMBER>.

AI Tool Usage Disclosure (required for all PRs)

Please select one of the following options:

  • I have NOT used any AI tool to generate the contents of this PR.
  • I have used AI tools to generate the contents of this PR. I have verified
    the contents and I affirm the results. The LLM used is [llm name and version]
    and the prompt used is [your prompt here]. [Feel free to add more details if needed]

Thank you 😃

jmanico
jmanico previously approved these changes Feb 2, 2026
View reviewed changes
Copy link
Member

@jmanico jmanico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work

@mackowski mackowski requested a review from Copilot February 4, 2026 13:32
Copilot AI reviewed Feb 4, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the OAuth 2.0 cheat sheet by integrating comprehensive guidance on Proof of Possession (PoP) token mechanisms, specifically DPoP and mTLS. The updates improve security guidance by explaining when and why to use sender-constrained tokens versus bearer tokens, providing practical implementation details and comparison.

Changes:

  • Added terminology definitions for bearer tokens and PoP tokens with detailed descriptions
  • Integrated a comprehensive comparison section for DPoP (RFC 9449) and mTLS (RFC 8705) mechanisms
  • Added "When to Use PoP Tokens" guidance section with specific use cases
  • Updated existing recommendations to reference PoP mechanisms where appropriate
  • Enhanced references section with additional RFCs

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ZMelliti ZMelliti force-pushed the oauth2-cheat-sheet-pop branch from 4d979a1 to 770958c Compare February 5, 2026 15:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jmanico jmanico jmanico left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ZMelliti @jmanico