In preparation for https://github.com/spring-projects/spring-security/issues/14915, I'm wondering if there's any chance that DPoP and DPoP-Nonce could be added to org.springframework.http.HttpHeaders, as static constants? They are headers defined by RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP) - Section 12.8.
On the other hand, it doesn't look as though new constants are added to this class very often, so maybe that's just something we don't do anymore? 😄
Comment From: bclozel
Thanks for the proposal, but I think that the situation is quite close to #33754 for the MediaType class. I think Spring Security supports quite a few headers already like X-Content-Type-Options which are not listed in HttpHeaders. I think we should remain consistent and not add DPoP as a result.
Comment From: ThomasKasene
Thanks for the reply. I suspected it would be something like this, and it makes sense 😃 Although, maybe a similar treatment as the one you outlined in this comment would be nice for HttpHeaders's Javadoc too, for clarity's sake?
Comment From: bclozel
Sure, I'm repurposing this issue for this. Thanks!