Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DPoP support in CAMARA OIDC Profile #125

Open
gmuratk opened this issue Feb 19, 2024 · 3 comments
Open

DPoP support in CAMARA OIDC Profile #125

gmuratk opened this issue Feb 19, 2024 · 3 comments
Labels
enhancement New feature or request ICM-Backlog spring25-candidate

Comments

@gmuratk
Copy link
Collaborator

gmuratk commented Feb 19, 2024

Problem description

Based on the December 20, 2023 presentation by OIDF, FAPI 2.0 is identified to be a good starting point for CAMARA OIDC profile. FAPI 2.0 lists a general requirement that states "Authorization servers shall use only issue sender-constrained access token" and further defines two methods as options to choose from including DPoP [RFC9449].

Currently there DPoP is not listed in the feature list for the CAMARA OIDC profile(s) proposed by #113 or #121.

Possible evolution

Add statements to the CAMARA OIDC profile that states "some carrier(s) MAY require some extensions like DPOP."
Normative examples should be included both a DPoP on the token request and a cnf binding to a key in the access_token issued.

Alternative solution

Additional context

As this is an important feature, it should be addressed in the next version of the OIDC profile and I&CM release, prior to a CAMARA wide release.
@gmuratk gmuratk added the enhancement New feature or request label Feb 19, 2024
@gmuratk
Copy link
Collaborator Author

gmuratk commented Feb 19, 2024

cc: @mengan

@gmuratk gmuratk mentioned this issue Feb 19, 2024
Closed
@AxelNennker
Copy link
Collaborator

some carrier(s) MAY require some extensions like DPOP.

Some API providers requiring DPoP might lead to problems for Clients if one API provider requires it but another does not support DPoP.

In DT's original proposal I wrote that AZ MUST support DPoP and that Clients MAY use it.

If in one market e.g. US all API providers support sender-constraint assertions and they are implemented using DPoP, then I think we could require that the AZ MUST implement DPoP. It is also a business decision whether or not requiring DPoP support by Clients.

Currently not enough AZ implementations in the Camara ecosystem implement DPoP and not enough API providers as well.

I would be happy to require DPoP support by AZ. That is the first step that needs to be done, if we want better security by sender-constraint assertions implemented by DPoP.

@dpostnikov
Copy link

It depends on the range of use cases / clients that you need to support.

If sender constrained tokes are mandatory (just like in FAPI 2), then you have 2 implementation options MTLS or DPoP. You can either mandate both options to the Authorization Servers or one of them. If you allow both MTLS and DPoP than clients would choose which one to use.

AxelNennker added a commit to AxelNennker/IdentityAndConsentManagement that referenced this issue Feb 27, 2024
@AxelNennker @sfnuser
remove DPop reference. DPoP is tabled for now. See camaraproject#125
87052eb 
Co-authored-by: Ramesh Shanmugasundaram - Spry Fox Networks <90850565+sfnuser@users.noreply.github.com>
@murthygorty murthygorty mentioned this issue Aug 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request ICM-Backlog spring25-candidate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jpengar @AxelNennker @dpostnikov @gmuratk