Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Required ath claim is missing from DPoP header #3184

Open
1 of 5 tasks
NSeydoux opened this issue Oct 13, 2023 · 3 comments
Open
1 of 5 tasks

Required ath claim is missing from DPoP header #3184

NSeydoux opened this issue Oct 13, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@NSeydoux
Copy link
Contributor

Search terms you've used

dpop, ath

Impacted package

Which packages do you think might be impacted by the bug ?

  • solid-client-authn-browser
  • solid-client-authn-node
  • solid-client-authn-core
  • oidc-client-ext
  • Other (please specify): ...

Bug description

To Reproduce

  1. Start the demo at /packages/browsser/examples/single/bundle
  2. Go to http://localhost:3113
  3. Log in your OpenID Provider (e.g. https://login.inrupt.com)
  4. Perform an authenticated request

Expected result

The last authenticated request should include both an Access Token in the Authorization header, and a JWT in the dpop header containing an ath claim, which is mandatory as per https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax.

Actual result

The dpop JWT desn't have an ath claim.

Environment

Please run

$ npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers

System:
    OS: Linux 6.2 Ubuntu 23.04 23.04 (Lunar Lobster)
    CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1270P
    Memory: 18.11 GB / 31.05 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 18.17.0 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/node
    npm: 9.6.7 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/npm
  npmGlobalPackages:
    corepack: 0.18.0
    npm: 9.6.7

Additional information

The problem comes from the implementation of the DPoP signature here:

solid-client-authn-js/packages/core/src/authenticatedFetch/dpopUtils.ts

Line 57 in 3bad925

): Promise<string> {
.
@NSeydoux NSeydoux added the bug Something isn't working label Oct 13, 2023
@NSeydoux
Copy link
Contributor Author

NSeydoux commented Oct 13, 2023
edited
Loading

Thanks for reporting this in #3181 (comment) @damooo! This will be fixed soon.

@damooo damooo mentioned this issue Oct 13, 2023
Open
@NSeydoux
Copy link
Contributor Author

Just a note on this for context: this is due to the fact that our library implemented an older draft version of DPoP. The specification obviously changed between that point in time and its current published status, so before fixing this one issue, we'll go over the latest spec, and check what other aspects of it are missing from our libraries, so that we bridge that gap in one go instead of fixing misalignments piecemeal.

@zg009
Copy link

zg009 commented Jan 18, 2024

Hello,

If there is any chance for me to help with this, I'd be happy to put some time into making some changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NSeydoux @zg009