Support binding of authorization codes to dpop proof key via dpop header#1974
Merged
josephdecock merged 9 commits intomainfrom Apr 25, 2025
Merged
Support binding of authorization codes to dpop proof key via dpop header#1974josephdecock merged 9 commits intomainfrom
josephdecock merged 9 commits intomainfrom
Conversation
bhazen
reviewed
Apr 24, 2025
identity-server/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs
Show resolved
Hide resolved
...test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPPushedAuthorizationEndpointTests.cs
Show resolved
Hide resolved
bhazen
approved these changes
Apr 25, 2025
- Add `DPoPProofToken` to validation context - Populate with value of DPoP http header in requests to PAR endpoint - Return invalid_request error if multiple DPoP headers passed to PAR
Many of the existing tests make an authorize request and then exchange the code for a token. We have similar use cases, and some additional validation, when using PAR. Refactoring the existing tests will facilitate reuse in the PAR case.
Done - Header is parsed, validated, and authorization code will be bound to the proof's key - Content length restrictions enforced - Duplicate headers disallowed - Mismatch between jwk in header value and jkt in parameter if both are passed disallowed To Do - Support for use_dpop_nonce response
josephdecock
force-pushed
the
jmdc/dpop-and-par-jkt
branch
from
5c8437a to
9e96a77
Compare
This was referenced Sep 15, 2025
This was referenced Sep 29, 2025
This was referenced Sep 29, 2025
This was referenced Oct 13, 2025
This was referenced Dec 1, 2025
Closed
Closed
Closed
This was referenced Dec 8, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds support for the DPoP header at the PAR endpoint.
The DPoP header at the PAR endpoint is used to bind authorization codes to the client's dpop key. This can also be done by (and we already support) passing the dpop_jkt parameter.
This change improves our support for RFC 9449, as accepting the DPoP header is a requirement for compliance now that we implement PAR (section 10.1). We also now enforce the rule that if both the header and the dpop_jkt parameter are passed, they must be consistent.
This PR also significantly refactors the existing DPOP integration tests to make them easier to read and reuse. Most behaviors are the same whether authorize parameters are pushed or not, and either or both of the dpop binding mechanisms can be used with PAR, so we want to run through most of those tests in several ways.
This PR updates our error responses to consistently return "use_dpop_nonce" as the error when a request fails and needs a new nonce, even if an invalid or expired nonce was passed.