The :oauth_dpop plugin implements a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens. It enables a client to prove the possession of a public/private key pair by including a DPoP header in an HTTP request.
Parties who are interested in preventing unauthorized or illegitimate parties from using leaked or stolen access tokens, by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding private key when using the token.
plugin :rodauth do
enable :oauth_dpop
# enable enforcement of nonce in dpop proofs:
# oauth_dpop_use_nonce true
# to enforce dpop-bound access tokens only, you can enable it globally
#
# oauth_dpop_bound_access_tokens true
#
# or per client application, see instructions below
end
Support for DPoP proofs requires the addition of an additional column, identified by the oauth_grants_dpop_jkt_column auth value method (defaults to :jkt), to the oauth grants table.
The optional (by default, turned on) feature of limiting dpop proof usage for a limited amount of time (defined by the oauth_dpop_proof_expires_in auth value method, defaulting to 5 minutes) requires the creation of an additional database table, identified by the oauth_dpop_proofs_table auth method (default: :oauth_pushed_requests). It contains the following attributes/columns:
oauth_dpop_proofs_jti_column:jtiThe unique identifier of the DPoP proof JWT.
oauth_dpop_proofs_first_use_column:first_useThe timestamp for when the DPoP was first used.
The generated access-token will be bound to the DPoP proof presented in the DPoP HTTP request header, as per the description in the RFC.
Authorization Code binding to a DPoP Keycan be achieved by setting the dpop_jkt query param in the Authorize Form Request. This can also be used in tandem with the oauth_pkce feature.
When used in tandem with the oauth_pushed_authorization_request feature, binding of the PAR request to a DPoP key is supported by passing an additional dpop_jkt POST body param.
(this requires that an additional column, identified by the oauth_pushed_authorization_requests_dpop_jkt_column value method (defaults to :dpop_jkt), be added to the pushed authorization requests table).
In order to require dpop-bound access tokens for a given client application, the value for the oauth_applications_dpop_bound_access_tokens_column column can be to true. If using the oauth_dynamic_client_registration feature, this can also be done using the register endpoint, via the dpop_bound_access_tokens param.