[TBC] Implement DPoP for access token

[tung2744]

No description provided.

[linear]

DEV-1409 Implement dpop for access token

[louischan-oursky]

We may want to DPoP bind the refresh_token only. See https://www.rfc-editor.org/rfc/rfc9449#section-5-9 My concern is that the access token may be used in a way that is assumed to be Bearer.

Possible configuration
DPoP:

• Disabled. DPoP is disabled
• Except access_token. DPoP is enabled for authorization code, refresh token, device secret, and device browser session token.
• All. DPoP is enabled for authorization code, access token, refresh token, device secret, and device browser session token.

[tung2744]

My concern is that the access token may be used in a way that is assumed to be Bearer.

@louischan-oursky Yes. This is why I marked this issue as TBC. If we implement it, we need to support the DPoP Authentication Scheme. As access tokens are also read by resource servers, it could break existing integrations.

So what I plan to support is

• When DPoP header is present on /token, these tokens are DPoP bound:
  • refresh_token
  • device_secret
  • x_device_browser_session_token

And it solely depends on whether DPoP header is set on making the /token request. If it is present, the returned tokens are DPoP bound, else they are not.

[louischan-oursky]

it solely depends on whether DPoP header is set on making the /token request.

The client metadata should also be implemented. https://www.rfc-editor.org/rfc/rfc9449#name-client-registration-metadat

[tung2744]

@louischan-oursky It seems dpop_bound_access_tokens should only controls access token, which we doesn't support DPoP at the moment. (But the spec says "for token requests", so not sure)

However, I think this config is only for enforcing DPoP (i.e. error if no DPoP), but not for enabling DPoP. Therefore things still work without this config.