Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update DPoP to an updated draft #406

Closed
2 tasks done
bifurcation opened this issue Sep 20, 2021 · 2 comments · Fixed by #407
Closed
2 tasks done

update DPoP to an updated draft #406

bifurcation opened this issue Sep 20, 2021 · 2 comments · Fixed by #407
Labels
enhancement triage

Comments

@bifurcation
Copy link
Contributor

bifurcation commented Sep 20, 2021
edited

Describe the bug
I attempted to create a simple client/server example of DPoP usage, using node-openid-client and node-oidc-provider. The client logs in using DPoP, then attempts to fetch userinfo. The userinfo request fails with invalid_token (invalid DPoP key binding). Looking into the server side more closely, it appears that the userinfo request does have a DPoP signature, but it is missing the ath field. According to draft-03 of DPoP, it seems like this field is required "[w]hen the DPoP proof is used in conjunction with the presentation of an access token", so the server's interpretation is correct here.

So I think what is needed here is to extend the call to dpopProof() in the request() method so that it populates the ath parameter in the DPoP payload when the request is made with an access token.

To Reproduce

Provider and client JS code provided in this gist. The scripts depend on a few modules, and assume that the domain names oidc-client.invalid and oidc-provider.invalid are mapped to localhost in /etc/hosts or equivalent.

Steps to reproduce the behaviour:

  1. In one window: node server.js
  2. In another window: NODE_TLS_REJECT_UNAUTHORIZED=0 node client.js
  3. Observe error reported in client window.

Expected behaviour
The client.js script prints a set of claims returned by the provider.

Environment:

  • openid-client version: 4.8.0
  • oidc-provider version: 7.8.0
  • node version: v14.17.0

Additional context
Add any other context about the problem here.

  • the bug is happening on latest openid-client too.
  • i have searched the issues tracker on github for similar issues and couldn't find anything related.
@bifurcation bifurcation mentioned this issue Sep 20, 2021
Merged
@panva
Copy link
Owner

panva commented Sep 20, 2021

For the record, there's no need for these two libraries to interoperate all the time. openid-client simply implemented draft-01 that it also linked to from the readme.

@panva panva changed the title DPoP fails to interoperate with node-oidc-provider update DPoP to an updated draft Sep 20, 2021
panva added a commit that referenced this issue Sep 20, 2021
@bifurcation @panva
feat: update DPoP support to draft-03 (#407)
5565ee1 
Resolves #406 

Co-authored-by: Richard L. Barnes <richbarn@cisco.com>
Co-authored-by: Filip Skokan <panva.ip@gmail.com>
@bifurcation
Copy link
Contributor Author

Ah, sorry, I missed in the documentation that this library was still on draft-01. In any case, thanks for the quick action!

@github-actions github-actions bot locked and limited conversation to collaborators Dec 20, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Populate 'ath' claim in DPoP when access token is used bifurcation/node-openid-client
2 participants
@bifurcation @panva