Today the OAuth step up authentication challenge protocol becomes RFC9470. We now have an interoperable way for resource servers to tell clients when the authentication with which the current access token was obtained in insufficient and (crucially) allows the RS to express what requirements would be acceptable… and a way for clients to use that info to influence the next authentication ceremony with the authorization server. Both are obtained with ultrasimple primitives easily added to existing SDKs, achieving sophisticated runtime behaviors without the need for complex eventing systems. One unexpected benefit of this document is clarity we didn't know we needed. The discussion made clear that we all have different ideas and expectations about what step up authentication really means. The non normative sections of RFC9470 capture the salient point and outcomes of that discussion, hopefully facilitating communications and preempting common errors. On a personal note. This will be the last spec I drive from idea to RFC in my life, and I couldn't have had a better coauthor than @__b_c . From his world class competence to his encyclopedic knowledge of this space, but above all through his genuine desire for the best outcomes for everyone, Brian is just incredible and a joy to work with. Thank you for this wonderful last ride, dear friend.

OAuth 2.0 Demonstrating Proof of Possession (DPoP) is now RFC 9449 #IETF #OAuth #PoP #DPoP @__b_c @dfett42 @ve7jtb @tlodderstedt @dwaite @vibronet