OAuth 2.0 Proof-of-PossessionResource ServerClientClientResource ServerAMAMObtain Access Token1Request access token and include a JWK2Return JWT with embedded JWK (stateless) or access token ID (stateful)Access a Resource3Present JWT / access token IDResource ServerIf stateful...4Introspect accesstoken ID to acquire JWKChallenge-Response5Create a challengeusing the JWK6Issue challenge7Solve the challenge using the private key8Issue responseValidate response andallow or deny accessto the resource.