While the vast majority of deployments utilize bearer tokens, OAuth does have a rich and troubled history with proof-of-possession (PoP) tokens. The popular canon is that PoP was the reason OAuth 1.0 failed and WRAP abandoned it entirely. The original editor of the OAuth 2.0 spec publicly rage quit over lack of PoP support. Various subsequent standards efforts to add proof-of-possession to 2.0 by extension have stalled out (PoP Key Distribution + Signing HTTP Requests) or been effectively killed off by an unnamed huge search company that also makes a browser (Token Binding). A few efforts have seen more success and made it to RFC but are only partial solutions (PoP Key Semantics for JWTs) or are somewhat niche (MTLS). Recent efforts at rebooting the work (DPoP) garnered excitement among some but have also been met with resistance in the standards development community. It turns out that it’s hard. This session, part history class, part existential crisis, part technical examination, part workation photo slideshow, and part personal tragedy, will explore proof-of-possession in OAuth and endeavor to equip you with the knowledge to discern fact from fiction when it comes to cryptographic defenses against the use of stolen OAuth tokens. (Standards, Architecture & Deployment, Security, Authorization, Standards, Brian Campbell)