Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Support additional information in DPoP proofs (according to RFC9449) #1498

Closed
gjermund-stensrud opened this issue Dec 2, 2024 · 3 comments
Assignees

Comments

@gjermund-stensrud
Copy link

Which version of Duende.AccessTokenManagement are you using?
Latest

Which version of .NET are you using?
.NET 8

Description of the problem
We are building a system to transfer sensitive data secured with OpenId and DPoP. This means we are encrypting the HTTP content with a symmetric key in addition to the HTTPS encryption. We then send i meta data about the encrypted object in the request. We started out using additional HTTP headers to store this information, but to do that we also needed to sign these headers to make sure they were not altered during transport. The easiest solution is to add this information to the DPoP proof payload and have it signed together with the rest of the information. According to RFC9449 DPoP was designed not to protect additional headers or content but allows for additional information to be added to the proofs to accomplish exactly that.

Unfortunately, this is not supported by Duende AccessTokenManagement. DPoPProofPayload.cs as defined here contains the entirety of the proof payload and it is not possible to specify any additional information. In our specific case we need to add different information for each request as it is directly related to the content and cannot be added to the global HttpClientFactory. But it is very hard to access any request related objects from the DPoP generation in AccessTokenManagement.

Description of the solution
Add the ability to specify additional information in something like a Dictionary<string, string> where additional information can be added to each request. The DPoPProofTokenFactory will then add this into the DPoP proof payload on generation.

@RolandGuijt
Copy link

Thanks for pointing this out. As you discovered we haven't implemented that part of the spec and looking at the current planning it won't be in the near future.
This would be really nice to have, we just don't have the resources right now. if you are willing and able we are open to a change proposal in the form of a PR we can evaluate.

@gjermund-stensrud
Copy link
Author

I have created a proposal in this pull-request: DuendeSoftware/foss#69

@RolandGuijt
Copy link

Thanks a lot for the PR. We are going to review this early next year.
Your efforts around this are highly appreciated.
Closing the issue for now but feel free to add anything if something comes up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants