Skip to content
This repository has been archived by the owner on Nov 19, 2024. It is now read-only.

DPoP

Jump to bottom
Brock Allen edited this page Apr 7, 2023 · 12 revisions

Duende.AccessTokenManagement supports DPoP.

JSON Web Key configuration

The main piece that your hosting application needs to concern itself with is how to obtain (and manage) the DPoP credential. This credential (and signing algorithm) will be either a "RS", "PS", or "ES", and needs to be in the form of a JSON Web Key (or JWK). Consult the specification for more details.

Creating a JWK in .NET is simple:

// create and configure a DPoP JWK
var rsaKey = new RsaSecurityKey(RSA.Create(2048));
var jwkKey = JsonWebKeyConverter.ConvertFromSecurityKey(rsaKey);
jwkKey.Alg = "PS256";
var jwk = JsonSerializer.Serialize(jwkKey);

Once you have a JWK you wish to use, then it must be configured or made available to this library. That can be done in one of two ways:

  • Configure the key at startup by setting the DPoPJsonWebKey property on either the ClientCredentialsTokenManagementOptions or UserTokenManagementOptions (depending on which of the two styles you are using from this library).
  • Implement the IDPoPKeyStore interface to produce the key at runtime.

Here's a sample configuring the key in an application using AddOpenIdConnectAccessTokenManagement in the startup code:

services.AddOpenIdConnectAccessTokenManagement(options =>
{
    options.DPoPJsonWebKey = jwk;
});

Similarly for an application using AddClientCredentialsTokenManagement it would look like this:

services.AddClientCredentialsTokenManagement()
   .AddClient("client_name", options =>
   {
       options.TokenEndpoint = "https://demo.duendesoftware.com/connect/token"; 
       // other client settings...

       options.DPoPJsonWebKey = jwk;
   });

Proof Tokens at the token server's token endpoint

Once the key has been configured for the client, then the library will use it to produce a DPoP proof token when calling the token server (including token renewals if relevant). There is nothing explicit needed on behalf of the developer using this library.

dpop_jkt at the token server's authorize endpoint

When using DPoP and AddOpenIdConnectAccessTokenManagement, this library will also automatically include the dpop_jkt parameter to the authorize endpoint.

Proof Tokens at the API

Once the library has obtained a DPoP bound access token for the client, then if your application is using any of the HttpClient client factory helpers (e.g. AddClientCredentialsHttpClient or AddUserAccessTokenHttpClient) then those outbound HTTP requests will automatically include a DPoP proof token for the associated DPoP access token.

Scenarios

Advanced

Clone this wiki locally