Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OAuth DPoP #651

Open
hickford opened this issue Jul 12, 2023 · 3 comments
Open

Support OAuth DPoP #651

hickford opened this issue Jul 12, 2023 · 3 comments

Comments

@hickford
Copy link
Contributor

hickford commented Jul 12, 2023
edited

Is anyone working on OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) support? RFC 9449 https://datatracker.ietf.org/doc/html/rfc9449 was published 2023.

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens

Of course, the API will have to go through the Go change proposal process.
@theadell
Copy link

I'm excited to see the discussion around introducing DPoP support into the x/oauth2 package and I would love to start working on a prototype but I have a few questions and thoughts about the proposal that I hope you could help clarify @hickford

  • Applicability of DPoP in Golang's Context: Go clients are confidential, where the refresh tokens are constrained to the client (by client authentication using simple client_id and client_secret or other methods). In this context, how do you view the benefits of the DPoP mechanism? While DPoP is primarily designed for public clients, could there be significant advantages for this library's use cases? (access tokens are not constrained but they are short-lived and stored securely on the server side)
  • Scope of Implementation: How extensively does this proposal aim to implement the DPoP draft? Would the initial focus be on basic DPoP functionalities like generating and sending DPoP proofs, or does it extend to more advanced features? For instance, would there be an effort to inspect the OAuth 2.0 Authorization Server Metadata to determine the authorization server's DPoP support, specifically checking for the dpop_signing_alg_values_supported parameter?
  • Resource and Authorization Server-Provided Nonce Support: The DPoP draft suggests optional support for a nonce provided by both authorization and resource servers. How should we approach these features? Would they be considered for an initial implementation or added later as extensions? should they be handled implicitly by the prototype or should the end developer manually retrieve them and pass them when making calls
  • Resource Server Support: Given that this package is sometimes used by clients who also act as resource servers, would adding a method to validate DPoP-constrained tokens be considered?

Your insights would be greatly appreciated.

@hickford
Copy link
Contributor Author

Go clients are confidential

@adel-habib You can use this library for confidential or public clients. A client is confidential if it can keep the secret confidential. So server-side web apps are confidential clients. Native apps such as desktop apps are public clients.

@theadell
Copy link

Native apps such as desktop apps are public clients.

That's right. I overlooked that use case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hickford @theadell