oauth_dpop.rdoc

doc/oauth_dpop.rdoc
Last Update: 2024-11-29 16:14:00 +0000

Documentation for OAuth DPoP feature

The oauth_dpop feature implements the OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) protocol.

datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop

This feature depends on the oauth_authorize_base and oauth_jwt features.

Auth Value Methods

oauth_invalid_token_error_response_status

HTTP status code used for invalid token error responses, 401 by default.

oauth_multiple_auth_methods_response_status

HTTP status code used for using multiple auth methods, 401 by default.

oauth_access_token_dpop_bound_response_status

HTTP status code when a dpop-bound access token without the DPoP proof, 401 by default.

oauth_invalid_dpop_proof_message

Error description for using an invalid DPoP proof.

oauth_multiple_auth_methods_message

Error description for using multiple auth methods.

oauth_multiple_dpop_proofs_message

Error description for using multiple DPoP proofs.

oauth_invalid_dpop_jkt_message

Error description when not able to verify the access token JKT.

oauth_invalid_dpop_jti_message

Error description for invalid DPoP jti.

oauth_invalid_dpop_htm_message

Error description for invalid DPoP htm.

oauth_invalid_dpop_htu_message

Error description for invalid DPoP htu.

oauth_access_token_dpop_bound_message

Error description for using an invalid DPoP proof.

oauth_invalid_dpop_proof_message

Error description for using an access token without the DPOP proof.

oauth_use_dpop_nonce_message

Error description when DPop nonce is required.

oauth_multiple_dpop_proofs_error_code

Error code for using an invalid DPoP proof, invalid_request by default.

oauth_invalid_dpop_jkt_error_code

Error code when not able to verify the access token JKT, invalid_dpop_proof by default.

oauth_invalid_dpop_jti_error_code

Error code for invalid DPoP jti, invalid_dpop_proof by default.

oauth_invalid_dpop_htm_error_code

Error code for invalid DPoP htm, invalid_dpop_proof by default.

oauth_invalid_dpop_htu_error_code

Error code for invalid DPoP htu, invalid_dpop_proof by default.

oauth_dpop_proof_expires_in

the time (in seconds) a DPoP proof can be used after first use, 5 minutes by default.

oauth_dpop_bound_access_tokens

whether only DPoP-bound access tokens are accepted, defaults to false.

oauth_dpop_use_nonce

wheter nonces are required on DPoP proofs, defaults to false.

oauth_dpop_nonce_expires_in

the time (in seconds) a server-generated nonce is valid after creation, 5 minutes by default.

oauth_dpop_signing_alg_values_supported

Supported JWS algorithms for signing DPoP headers.

oauth_applications_dpop_bound_access_tokens_column

DB column storing whether DPoP-bound access tokens are required for a client application, :dpop_bound_access_tokens by default.

oauth_grants_dpop_jkt_column

DB column for storing DPoP JKT for the oauth grants, :dpop_jkt by default.

oauth_pushed_authorization_requests_dpop_jkt_column

DB column for storing the DPoP JKT for PAR requests, :dpop_jkt by default.

oauth_dpop_proofs_table

DB table where to store first use of DPoP proofs, :oauth_dpop_proofs_table by default.

oauth_dpop_proofs_jti_column

DB column where to store DPoP proof JTI, :jti by default.

oauth_dpop_proofs_first_use_column

DB column where to store the timestamp of first use of the DPoP , :oauth_dpop_proofs_first_use_column by default.

Value Methods

validate_dpop_proof_usage

function which verifies correct usage of DPoP proofs. Can be override to disable the procedure, or customize to p.ex. use a different data store.