Spring Security Add possibility to customize refresh token and DPoP binding

Expected Behavior

It should be possible to customize refresh token and DPoP binding, so engineers can use any binding scheme.

Current Behavior

Currently, it is not possible to customize this. Only one scheme is supported: binding through access_token

Context

The DPoP RFC is not specify how to bind refresh token and DPoP link does not specify how to bind the refresh token to DPoP; instead, it leaves this decision to the authorization server.

Currently, I have an authorization server (not using the latest Spring Security version) with custom DPoP logic implemented. In my implementation, I store the DPoP thumbprint inside the refresh token, so I don't need to use the access token for the binding.

It would be very useful to be able to customize the binding (validation) process between DPoP and refresh tokens.

Comment From: jgrandja

@makcpopTwo

It would be very useful to be able to customize the binding (validation) process between DPoP and refresh tokens.

Can you provide an example configuration that would allow you to customize the validation?