alignment with OAuth 2 flows for 1P authorization servers

[dickhardt]

It seems like it would be beneficial for the OAuth 2 pattern of separate access and refresh flows to fit into the DBSC pattern. In this separation, the policy of what the user is allowed to do is only evaluated on refresh, and the result is encoded in the access token enabling the resources to only verify the access token grants access to the resource.

In the cookie refresh flow in DBSC, the server would not only determine if the session is still authenticated, but if access is still authorized. IE, the server would evaluate policy when refresh is called. This functionality in OAuth 2 is done at the token endpoint. For adoption of DBSC into OAuth 2 architectures, aligning the protocol with how the OAuth 2 endpoint would simplify adoption.

IE having the DBSC only being additional headers would prevent it from conflicting with OAuth 2, or having the JSON response be additive to the existing OAuth 2 token endpoint response.

This could lead to using device bound cookies for refreshing access tokens rather than a bearer or DPoP refresh flow, substantially improving 1P OAuth flows.

Happy to discuss in more detail if interested.