As part of the FAPI 2.0 specification[1], communication using the JWT Profile and DPoP [2] will also be FAPI compliant, in addition to conventional mTLS support.

This is a request to support DPoP by 3Scale so that the banking system integrating with 3Scale and RH-SSO can be compliant FIPS 2.0 by using DPoP and JWT Profile more easily than using mTLS instead.

[1] https://openid.bitbucket.io/fapi/fapi-2_0-security-profile.html
　　+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
5.3.1. Requirements for Authorization Servers
5.3.1.1. General Requirements
Authorization servers

1. shall distribute discovery metadata (such as the authorization endpoint) via the metadata document as specified in [OIDD] and [RFC8414];
2. shall reject requests using the resource owner password credentials grant or the implicit grant described in [RFC6749] or the hybrid flow as described in [OIDC];
3. shall support confidential clients as defined in [RFC6749];
4. shall only issue sender-constrained access tokens;
5. shall use one of the following methods for sender-constrained access tokens:

• MTLS as described in [RFC8705], or
• DPoP as described in [I-D.ietf-oauth-dpop]; <<<<<

6. shall authenticate clients using one of the following methods:

• MTLS as specified in Section 2 of [RFC8705], or
• private_key_jwt as specified in Section 9 of [OIDC];
  +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  [2] https://datatracker.ietf.org/doc/rfc9449/