feat: bump DPoP to draft-11

Author: panva

README.md

@@ -49,7 +49,7 @@ The following draft specifications are implemented by oidc-provider:
 
 - [JWT Response for OAuth Token Introspection - draft 10][jwt-introspection]
 - [Financial-grade API: Client Initiated Backchannel Authentication Profile (FAPI-CIBA) - Implementer's Draft 01][fapi-ciba]
-- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 03][dpop]
+- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) - draft 11][dpop]
 
 Updates to draft specification versions are released as MINOR library versions,
 if you utilize these specification implementations consider using the tilde `~` operator in your
@@ -139,7 +139,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a
 [jwt-introspection]: https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10
 [sponsor-auth0]: https://a0.to/try-auth0
 [mtls]: https://www.rfc-editor.org/rfc/rfc8705.html
-[dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-03
+[dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-11
 [resource-indicators]: https://www.rfc-editor.org/rfc/rfc8707.html
 [jarm]: https://openid.net/specs/oauth-v2-jarm.html
 [jwt-at]: https://www.rfc-editor.org/rfc/rfc9068.html

docs/README.md

@@ -848,9 +848,9 @@ _**default value**_:
 
 ### features.dPoP
 
-[draft-ietf-oauth-dpop-03](https://tools.ietf.org/html/draft-ietf-oauth-dpop-03) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)  
+[draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)  
 
-Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP Proof generation [here](https://www.npmjs.com/package/dpop).   
+Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation [here](https://www.npmjs.com/package/dpop).   
 
 
 _**recommendation**_: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde `~` operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, [acknowledge](#features) the version and be notified of breaking changes as part of your CI.  
@@ -860,8 +860,7 @@ _**default value**_:
 ```js
 {
   ack: undefined,
-  enabled: false,
-  iatTolerance: 60
+  enabled: false
 }
 ```
 
@@ -3092,7 +3091,7 @@ _**default value**_:
 
 ### enabledJWA.dPoPSigningAlgValues
 
-JWS "alg" Algorithm values the provider supports to verify signed DPoP Proof JWTs with   
+JWS "alg" Algorithm values the provider supports to verify signed DPoP proof JWTs with   
 
 
 

lib/actions/authorization/check_dpop_jkt.js

@@ -0,0 +1,33 @@
+const { InvalidRequest } = require('../../helpers/errors');
+const dpopValidate = require('../../helpers/validate_dpop');
+const epochTime = require('../../helpers/epoch_time');
+
+/*
+ * Validates dpop_jkt equals the used DPoP proof thumbprint
+ * when provided, otherwise defaults dpop_jkt to it.
+ *
+ * @throws: invalid_request
+ */
+module.exports = async function checkDpopJkt(ctx, next) {
+  const { params } = ctx.oidc;
+
+  const dPoP = await dpopValidate(ctx);
+  if (dPoP) {
+    const { ReplayDetection } = ctx.oidc.provider;
+    const unique = await ReplayDetection.unique(
+      ctx.oidc.client.clientId,
+      dPoP.jti,
+      epochTime() + 60,
+    );
+
+    ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+
+    if (params.dpop_jkt && params.dpop_jkt !== dPoP.thumbprint) {
+      throw new InvalidRequest('DPoP proof key thumbprint does not match dpop_jkt');
+    } else if (!params.dpop_jkt) {
+      params.dpop_jkt = dPoP.thumbprint;
+    }
+  }
+
+  return next();
+};

lib/actions/authorization/index.js

@@ -51,6 +51,7 @@ const cibaLoadAccount = require('./ciba_load_account');
 const checkRequestedExpiry = require('./check_requested_expiry');
 const backchannelRequestResponse = require('./backchannel_request_response');
 const checkCibaContext = require('./check_ciba_context');
+const checkDpopJkt = require('./check_dpop_jkt');
 
 const A = 'authorization';
 const R = 'resume';
@@ -68,6 +69,7 @@ module.exports = function authorizationAction(provider, endpoint) {
   const {
     features: {
       claimsParameter,
+      dPoP,
       resourceIndicators,
       webMessageResponseMode,
     },
@@ -113,6 +115,10 @@ module.exports = function authorizationAction(provider, endpoint) {
     allowList.add('requested_expiry');
   }
 
+  if (dPoP && [A, R, PAR].includes(endpoint)) {
+    allowList.add('dpop_jkt');
+  }
+
   const stack = [];
 
   const use = (middleware, ...only) => {
@@ -169,6 +175,7 @@ module.exports = function authorizationAction(provider, endpoint) {
   use(() => checkRequestedExpiry,                                                  BA);
   use(() => checkCibaContext,                                                      BA);
   use(() => checkIdTokenHint,                               A, DA,            PAR    );
+  use(() => checkDpopJkt,                                                     PAR    );
   use(() => interactionEmit,                                     A,     R, CV, DR    );
   use(() => assignClaims,                                   A,     R, CV, DR,      BA);
   use(() => cibaLoadAccount,                                                       BA);

lib/actions/authorization/process_request_object.js

@@ -275,5 +275,9 @@ module.exports = async function processRequestObject(PARAM_LIST, rejectDupesMidd
     default:
   }
 
+  if (pushedRequestObject && ctx.oidc.entities.PushedAuthorizationRequest.dpopJkt) {
+    params.dpop_jkt = ctx.oidc.entities.PushedAuthorizationRequest.dpopJkt;
+  }
+
   return next();
 };

lib/actions/authorization/process_response_types.js

@@ -84,6 +84,7 @@ async function codeHandler(ctx) {
     resource: Object.keys(ctx.oidc.resourceServers),
     scope: [...scopeSet].join(' '),
     sessionUid: ctx.oidc.session.uid,
+    dpopJkt: ctx.oidc.params.dpop_jkt,
   });
 
   if (Object.keys(code.claims).length === 0) {

lib/actions/authorization/pushed_authorization_request_response.js

@@ -9,15 +9,17 @@ const MAX_TTL = 60;
 module.exports = async function pushedAuthorizationRequestResponse(ctx, next) {
   let request;
   let ttl;
+  let dpopJkt;
   const now = epochTime();
   if (ctx.oidc.body.request) {
     ({ request } = ctx.oidc.body);
-    const { payload: { exp } } = JWT.decode(request);
+    const { payload: { exp, dpop_jkt: thumbprint } } = JWT.decode(request);
     ttl = exp - now;
 
     if (!Number.isInteger(ttl) || ttl > MAX_TTL) {
       ttl = MAX_TTL;
     }
+    dpopJkt = thumbprint || ctx.oidc.params.dpop_jkt;
   } else {
     ttl = MAX_TTL;
     request = new UnsecuredJWT({ ...ctx.oidc.params })
@@ -27,9 +29,10 @@ module.exports = async function pushedAuthorizationRequestResponse(ctx, next) {
       .setExpirationTime(now + MAX_TTL)
       .setNotBefore(now)
       .encode();
+    dpopJkt = ctx.oidc.params.dpop_jkt;
   }
 
-  const requestObject = new ctx.oidc.provider.PushedAuthorizationRequest({ request });
+  const requestObject = new ctx.oidc.provider.PushedAuthorizationRequest({ request, dpopJkt });
 
   const id = await requestObject.save(ttl);
 

lib/actions/grants/authorization_code.js

@@ -6,6 +6,7 @@ const revoke = require('../../helpers/revoke');
 const filterClaims = require('../../helpers/filter_claims');
 const dpopValidate = require('../../helpers/validate_dpop');
 const resolveResource = require('../../helpers/resolve_resource');
+const epochTime = require('../../helpers/epoch_time');
 
 const gty = 'authorization_code';
 
@@ -16,7 +17,6 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) {
     conformIdTokenClaims,
     features: {
       userinfo,
-      dPoP: { iatTolerance },
       mTLS: { getCertificate },
       resourceIndicators,
     },
@@ -32,6 +32,8 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) {
 
   presence(ctx, 'code', 'redirect_uri');
 
+  const dPoP = await dpopValidate(ctx);
+
   const code = await ctx.oidc.provider.AuthorizationCode.find(ctx.oidc.params.code, {
     ignoreExpiration: true,
   });
@@ -70,6 +72,10 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) {
     }
   }
 
+  if (!dPoP && ctx.oidc.client.dpopBoundAccessTokens) {
+    throw new InvalidGrant('DPoP proof JWT not provided');
+  }
+
   if (grant.clientId !== ctx.oidc.client.clientId) {
     throw new InvalidGrant('client mismatch');
   }
@@ -118,16 +124,22 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) {
     at.setThumbprint('x5t', cert);
   }
 
-  const dPoP = await dpopValidate(ctx);
+  if (code.dpopJkt && !dPoP) {
+    throw new InvalidGrant('missing DPoP proof JWT');
+  }
 
   if (dPoP) {
     const unique = await ReplayDetection.unique(
       ctx.oidc.client.clientId,
       dPoP.jti,
-      dPoP.iat + iatTolerance,
+      epochTime() + 60,
     );
 
-    ctx.assert(unique, new InvalidGrant('DPoP Token Replay detected'));
+    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+
+    if (code.dpopJkt && code.dpopJkt !== dPoP.thumbprint) {
+      throw new InvalidGrant('DPoP proof key thumbprint does not match dpop_jkt');
+    }
 
     at.setThumbprint('jkt', dPoP.thumbprint);
   }
@@ -172,7 +184,7 @@ module.exports.handler = async function authorizationCodeHandler(ctx, next) {
         rt.jkt = at.jkt;
       }
 
-      if (ctx.oidc.client.tlsClientCertificateBoundAccessTokens) {
+      if (at['x5t#S256']) {
         rt['x5t#S256'] = at['x5t#S256'];
       }
     }

lib/actions/grants/ciba.js

@@ -7,6 +7,7 @@ const filterClaims = require('../../helpers/filter_claims');
 const revoke = require('../../helpers/revoke');
 const dpopValidate = require('../../helpers/validate_dpop');
 const resolveResource = require('../../helpers/resolve_resource');
+const epochTime = require('../../helpers/epoch_time');
 
 const {
   AuthorizationPending,
@@ -24,12 +25,13 @@ module.exports.handler = async function cibaHandler(ctx, next) {
     conformIdTokenClaims,
     features: {
       userinfo,
-      dPoP: { iatTolerance },
       mTLS: { getCertificate },
       resourceIndicators,
     },
   } = instance(ctx.oidc.provider).configuration();
 
+  const dPoP = await dpopValidate(ctx);
+
   const request = await ctx.oidc.provider.BackchannelAuthenticationRequest.find(
     ctx.oidc.params.auth_req_id,
     { ignoreExpiration: true },
@@ -51,6 +53,10 @@ module.exports.handler = async function cibaHandler(ctx, next) {
     }
   }
 
+  if (!dPoP && ctx.oidc.client.dpopBoundAccessTokens) {
+    throw new InvalidGrant('DPoP proof JWT not provided');
+  }
+
   if (request.isExpired) {
     throw new ExpiredToken('backchannel authentication request is expired');
   }
@@ -123,16 +129,14 @@ module.exports.handler = async function cibaHandler(ctx, next) {
     at.setThumbprint('x5t', cert);
   }
 
-  const dPoP = await dpopValidate(ctx);
-
   if (dPoP) {
     const unique = await ReplayDetection.unique(
       ctx.oidc.client.clientId,
       dPoP.jti,
-      dPoP.iat + iatTolerance,
+      epochTime() + 60,
     );
 
-    ctx.assert(unique, new InvalidGrant('DPoP Token Replay detected'));
+    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
 
     at.setThumbprint('jkt', dPoP.thumbprint);
   }
@@ -177,7 +181,7 @@ module.exports.handler = async function cibaHandler(ctx, next) {
         rt.jkt = at.jkt;
       }
 
-      if (ctx.oidc.client.tlsClientCertificateBoundAccessTokens) {
+      if (at['x5t#S256']) {
         rt['x5t#S256'] = at['x5t#S256'];
       }
     }

lib/actions/grants/client_credentials.js

@@ -2,18 +2,20 @@ const instance = require('../../helpers/weak_cache');
 const { InvalidGrant, InvalidTarget, InvalidScope } = require('../../helpers/errors');
 const dpopValidate = require('../../helpers/validate_dpop');
 const checkResource = require('../../shared/check_resource');
+const epochTime = require('../../helpers/epoch_time');
 
 module.exports.handler = async function clientCredentialsHandler(ctx, next) {
   const { client } = ctx.oidc;
   const { ClientCredentials, ReplayDetection } = ctx.oidc.provider;
   const {
     features: {
-      dPoP: { iatTolerance },
       mTLS: { getCertificate },
     },
     scopes: statics,
   } = instance(ctx.oidc.provider).configuration();
 
+  const dPoP = await dpopValidate(ctx);
+
   await checkResource(ctx, () => {});
 
   const scopes = ctx.oidc.params.scope ? [...new Set(ctx.oidc.params.scope.split(' '))] : [];
@@ -51,14 +53,14 @@ module.exports.handler = async function clientCredentialsHandler(ctx, next) {
     token.setThumbprint('x5t', cert);
   }
 
-  const dPoP = await dpopValidate(ctx);
-
   if (dPoP) {
-    const unique = await ReplayDetection.unique(client.clientId, dPoP.jti, dPoP.iat + iatTolerance);
+    const unique = await ReplayDetection.unique(client.clientId, dPoP.jti, epochTime() + 60);
 
-    ctx.assert(unique, new InvalidGrant('DPoP Token Replay detected'));
+    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
 
     token.setThumbprint('jkt', dPoP.thumbprint);
+  } else if (ctx.oidc.client.dpopBoundAccessTokens) {
+    throw new InvalidGrant('DPoP proof JWT not provided');
   }
 
   ctx.oidc.entity('ClientCredentials', token);