Unable to generate DPoP bound access token using curity server.
I have tried to generate DPoP bound jwt using curity. For this, I set up a client with code flow and select scope as openid. While sending request to token endpoint I added DPoP header with a valid DPoP proof but generated access token didn’t have cnf claim. Can anyone guide me?
Unable to generate DPoP bound access token using curity server.
I have tried to generate DPoP bound jwt using curity. For this, I set up a client with code flow and select scope as openid. While sending request to token endpoint I added DPoP header with a valid DPoP proof but generated access token didn’t have cnf claim. Can anyone guide me?
Currently DPoP is only supported for Hypermedia Authentication API (HAAPI) clients. One of the reasons for that is the server side difficulty for APIs, from section 11.1 of the specification.
VALIDATING DPOP PROOFS
The spec says this, which means in practice that there will be clock skew errors between clients and servers:
To resolve that, the spec says this, which means in practice that APIs must maintain a backend database with nonce and expiry details.
YOUR USE CASE?
If you can let me know your use case and requirements I may be able to recommend an alternative solution that meets the same goals. For example, using HTTP only cookies to harden web applications or attestation to harden mobile applications.
TOKEN PROCEDURES
If you still decide to use DPoP you could set the cnf claim in a token procedure. The logic would look something like this:
var dpop = context.request.getFormParameter('dpop');
var publicKey = deserializeAndGetPublicKey(dpop);
var md = Java.type('java.security.MessageDigest');
var instance = md.getInstance('SHA-256');
accessTokenData.cnf = instance.digest(text.getBytes());