-
-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update DPoP to an updated draft #406
Closed
2 tasks done
bifurcation opened this issue
Sep 20, 2021
· 2 comments
· Fixed by #407 · May be fixed by roma8389/GreenridgeApp#112 or roma8389/GreenridgeApp#118
Closed
2 tasks done
update DPoP to an updated draft #406
bifurcation opened this issue
Sep 20, 2021
· 2 comments
· Fixed by #407 · May be fixed by roma8389/GreenridgeApp#112 or roma8389/GreenridgeApp#118
Labels
Comments
For the record, there's no need for these two libraries to interoperate all the time. openid-client simply implemented draft-01 that it also linked to from the readme. |
panva
changed the title
DPoP fails to interoperate with node-oidc-provider
update DPoP to an updated draft
Sep 20, 2021
panva
added a commit
that referenced
this issue
Sep 20, 2021
Resolves #406 Co-authored-by: Richard L. Barnes <richbarn@cisco.com> Co-authored-by: Filip Skokan <panva.ip@gmail.com>
Ah, sorry, I missed in the documentation that this library was still on draft-01. In any case, thanks for the quick action! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
I attempted to create a simple client/server example of DPoP usage, using node-openid-client and node-oidc-provider. The client logs in using DPoP, then attempts to fetch
userinfo
. Theuserinfo
request fails withinvalid_token (invalid DPoP key binding)
. Looking into the server side more closely, it appears that theuserinfo
request does have a DPoP signature, but it is missing theath
field. According to draft-03 of DPoP, it seems like this field is required "[w]hen the DPoP proof is used in conjunction with the presentation of an access token", so the server's interpretation is correct here.So I think what is needed here is to extend the call to
dpopProof()
in therequest()
method so that it populates theath
parameter in the DPoP payload when the request is made with an access token.To Reproduce
Provider and client JS code provided in this gist. The scripts depend on a few modules, and assume that the domain names
oidc-client.invalid
andoidc-provider.invalid
are mapped to localhost in/etc/hosts
or equivalent.Steps to reproduce the behaviour:
node server.js
NODE_TLS_REJECT_UNAUTHORIZED=0 node client.js
Expected behaviour
The
client.js
script prints a set of claims returned by the provider.Environment:
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: