DPoP (Demonstration of Proof-of-Possession) is an OAuth 2.0 mechanism defined in RFC 9449 that cryptographically binds access tokens to the client that requested them, addressing the core weakness of Bearer tokens where anyone possessing a token can use it. Real-world breaches like the Codecov supply chain attack and GitHub OAuth token leak illustrate the risk. DPoP requires clients to send a signed proof JWT with every request, containing claims that restrict usage to a specific HTTP method, URL, and token. A working implementation is demonstrated using Keycloak 26.4 (which has built-in DPoP support) and Quarkus 3.32.2 with the quarkus-oidc extension. The tutorial covers configuring Keycloak to enforce DPoP, setting up protected REST endpoints, implementing jti replay protection via a server-side filter, and testing the full flow with k6, including happy-path and attack scenarios.
Table of contents
What is DPoP?The Problem: Bearer Tokens and the "Finders Keepers" RiskHow Does DPoP Work?Configuring DPoP in KeycloakDPoP in Action with QuarkusConclusionSort: