You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I attempted to create a simple client/server example of DPoP usage, using node-openid-client and node-oidc-provider. The client logs in using DPoP, then attempts to fetch userinfo. The userinfo request fails with invalid_token (invalid DPoP key binding). Looking into the server side more closely, it appears that the userinfo request does have a DPoP signature, but it is missing the ath field. According to draft-03 of DPoP, it seems like this field is required "[w]hen the DPoP proof is used in conjunction with the presentation of an access token", so the server's interpretation is correct here.
So I think what is needed here is to extend the call to dpopProof() in the request() method so that it populates the ath parameter in the DPoP payload when the request is made with an access token.
To Reproduce
Provider and client JS code provided in this gist. The scripts depend on a few modules, and assume that the domain names oidc-client.invalid and oidc-provider.invalid are mapped to localhost in /etc/hosts or equivalent.
Steps to reproduce the behaviour:
In one window: node server.js
In another window: NODE_TLS_REJECT_UNAUTHORIZED=0 node client.js
Observe error reported in client window.
Expected behaviour
The client.js script prints a set of claims returned by the provider.
Environment:
openid-client version: 4.8.0
oidc-provider version: 7.8.0
node version: v14.17.0
Additional context
Add any other context about the problem here.
the bug is happening on latest openid-client too.
i have searched the issues tracker on github for similar issues and couldn't find anything related.
The text was updated successfully, but these errors were encountered:
For the record, there's no need for these two libraries to interoperate all the time. openid-client simply implemented draft-01 that it also linked to from the readme.
Describe the bug
I attempted to create a simple client/server example of DPoP usage, using node-openid-client and node-oidc-provider. The client logs in using DPoP, then attempts to fetch
userinfo
. Theuserinfo
request fails withinvalid_token (invalid DPoP key binding)
. Looking into the server side more closely, it appears that theuserinfo
request does have a DPoP signature, but it is missing theath
field. According to draft-03 of DPoP, it seems like this field is required "[w]hen the DPoP proof is used in conjunction with the presentation of an access token", so the server's interpretation is correct here.So I think what is needed here is to extend the call to
dpopProof()
in therequest()
method so that it populates theath
parameter in the DPoP payload when the request is made with an access token.To Reproduce
Provider and client JS code provided in this gist. The scripts depend on a few modules, and assume that the domain names
oidc-client.invalid
andoidc-provider.invalid
are mapped to localhost in/etc/hosts
or equivalent.Steps to reproduce the behaviour:
node server.js
NODE_TLS_REJECT_UNAUTHORIZED=0 node client.js
Expected behaviour
The
client.js
script prints a set of claims returned by the provider.Environment:
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: