You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Which version of Duende.AccessTokenManagement are you using?
Latest
Which version of .NET are you using?
.NET 8
Description of the problem
We are building a system to transfer sensitive data secured with OpenId and DPoP. This means we are encrypting the HTTP content with a symmetric key in addition to the HTTPS encryption. We then send i meta data about the encrypted object in the request. We started out using additional HTTP headers to store this information, but to do that we also needed to sign these headers to make sure they were not altered during transport. The easiest solution is to add this information to the DPoP proof payload and have it signed together with the rest of the information. According to RFC9449 DPoP was designed not to protect additional headers or content but allows for additional information to be added to the proofs to accomplish exactly that.
Unfortunately, this is not supported by Duende AccessTokenManagement. DPoPProofPayload.cs as defined here contains the entirety of the proof payload and it is not possible to specify any additional information. In our specific case we need to add different information for each request as it is directly related to the content and cannot be added to the global HttpClientFactory. But it is very hard to access any request related objects from the DPoP generation in AccessTokenManagement.
Description of the solution
Add the ability to specify additional information in something like a Dictionary<string, string> where additional information can be added to each request. The DPoPProofTokenFactory will then add this into the DPoP proof payload on generation.
The text was updated successfully, but these errors were encountered:
Thanks for pointing this out. As you discovered we haven't implemented that part of the spec and looking at the current planning it won't be in the near future.
This would be really nice to have, we just don't have the resources right now. if you are willing and able we are open to a change proposal in the form of a PR we can evaluate.
Thanks a lot for the PR. We are going to review this early next year.
Your efforts around this are highly appreciated.
Closing the issue for now but feel free to add anything if something comes up.
Which version of Duende.AccessTokenManagement are you using?
Latest
Which version of .NET are you using?
.NET 8
Description of the problem
We are building a system to transfer sensitive data secured with OpenId and DPoP. This means we are encrypting the HTTP content with a symmetric key in addition to the HTTPS encryption. We then send i meta data about the encrypted object in the request. We started out using additional HTTP headers to store this information, but to do that we also needed to sign these headers to make sure they were not altered during transport. The easiest solution is to add this information to the DPoP proof payload and have it signed together with the rest of the information. According to RFC9449 DPoP was designed not to protect additional headers or content but allows for additional information to be added to the proofs to accomplish exactly that.
Unfortunately, this is not supported by Duende AccessTokenManagement. DPoPProofPayload.cs as defined here contains the entirety of the proof payload and it is not possible to specify any additional information. In our specific case we need to add different information for each request as it is directly related to the content and cannot be added to the global HttpClientFactory. But it is very hard to access any request related objects from the DPoP generation in AccessTokenManagement.
Description of the solution
Add the ability to specify additional information in something like a Dictionary<string, string> where additional information can be added to each request. The DPoPProofTokenFactory will then add this into the DPoP proof payload on generation.
The text was updated successfully, but these errors were encountered: