Is there any sense in use of Authorization Code Binding To DPoP Key when client is confidential and uses PKCE?
This spec defined DPoP mechanism to bind cryptographically bind access tokens. There is also mention about authorization code binding.
But hey, do you see any sense in it? Ok, it obviously is a way to prevent authorization code injection attacks, but the PKCE does the same and is more light-weight.
What's more, the confidential client MUST be authenticated on Pushed Authorization and Token endpoints, so something like "binding to owner" also doesn't make any sense if PKCE is used.
But the FAPI2.0 Security Profile says that authorization server:
if using DPoP, shall support "Authorization Code Binding to DPoP Key" (as required by section 10.1 of [I-D.ietf-oauth-dpop]).
We know that FAPI2.0 handles only confidential clients. Why they require to support authorization code binding? Any pros of this approach?
