Skip to content

Fix DPoP Proof Generation #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 11, 2025
Merged

Fix DPoP Proof Generation #782

merged 6 commits into from
Apr 11, 2025

Conversation

aniket-okta
Copy link
Contributor

@aniket-okta aniket-okta commented Apr 3, 2025
edited
Loading

Fixes the issue #758

📌 What This PR Fixes

  • Invalid DPoP Proof: Corrected JWT header structure to avoid IDX11025 serialization errors.
  • Access Denied: Ensured dpop_bound_access_tokens is enabled during client setup.
  • Session Errors (E0000005): Added API token authentication to requests.

Why This Change Is Necessary

  • Security: DPoP binds tokens to the client’s public key, preventing replay attacks.
  • Compliance: Okta’s API requires specific payload structures for DPoP-enabled clients.

🔧 Changes Made

  1. DPoP Proof Generation
    • Restructured jwk header to include only kty, e, n, alg, and use.
    • Fixed duplicate header claims (e.g., typ and alg).
    • Added nonce support for retries after use_dpop_nonce errors.
  2. Testing
    • Added Integration Test: Validates end-to-end flow for DPoP-bound token issuance.

🐛 Debugging Process

  • JWT Inspection: Used tools like [JWT.io](http://jwt.io/) to decode and validate DPoP proof structure.
  • API Logs: Analyzed Okta system logs to trace access_denied errors to missing client settings.
  • Postman Testing: Verified payload correctness against Okta’s API documentation.

🧪 Testing

  • Integration Test:
    • Ensures DPoP-enabled clients are created programmatically.
    • Validates token issuance with a valid DPoP proof.
    • Confirms token rejection when proof is missing or invalid.

@aniket-okta aniket-okta force-pushed the OKTA-832982 branch 2 times, most recently from cf7de0b to 3b8745e Compare April 4, 2025 12:42
@aniket-okta aniket-okta self-assigned this Apr 11, 2025
@aniket-okta aniket-okta merged commit 0aac83a into master Apr 11, 2025
4 checks passed
@aniket-okta aniket-okta deleted the OKTA-832982 branch May 7, 2025 05:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manmohan-shaw-okta manmohan-shaw-okta manmohan-shaw-okta approved these changes

@BinoyOza-okta BinoyOza-okta BinoyOza-okta approved these changes

@pranav-okta pranav-okta Awaiting requested review from pranav-okta

@prachi-okta prachi-okta Awaiting requested review from prachi-okta

@aditya-okta aditya-okta Awaiting requested review from aditya-okta

Assignees

@aniket-okta aniket-okta

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@aniket-okta @manmohan-shaw-okta @BinoyOza-okta @bryanapellanes-okta