This specification extends the proof-of-possession concept to the authorization grant itself. It defines a new grant type, urn:ietf:params:oauth:grant-type:jwt-dpop, for cases where the JWT assertion is already bound to a DPoP key. To exchange the assertion for an access token, the client must provide a DPoP proof demonstrating possession of the key to which the assertion is bound.

The OAuth folks are publishing drafts faster than I can read them.

Here's another one that I think will help with my crazy vision of "Fediverse-wide login".