Where to find Dpop token ?

[bhargavmullakuru]

Issue and Steps to Reproduce

I need dpop token which i need to send it along with accesstoken for additional api call. from where can i access it after login?

Versions

Screenshots

Expected

Actual

Additional Details

• Installed packages:

[guillaume-chervet]

Hi @bhargavmullakuru , thank you for your issue. Are you using react version or oidc-client? Dpop is a dynamic value. Is it injected dynamicaly by the fetch proposed by the library. Oidc client expose the function to compute it. I think it is missing in the react library.

[bhargavmullakuru]

Hi @guillaume-chervet , Thanks for your reply. I'm using the react version.

[bhargavmullakuru]

How to get the generated dpop for oidc-client after login?

[guillaume-chervet]

hi @bhargavmullakuru ,

You can use oidc-client directly. it is compatible with the react version. I will expose it in react version too very soon.

import { OidcClient } from '@axa-fr/oidc-client';

const oidc = OidcClient.getOrCreate()(configuration);
const demonstrationOdProofOfPossession = await oidc.generateDemonstrationOfProofOfPossessionAsync(accessToken, url.toString(), optionTmp.method);

[bhargavmullakuru]

@guillaume-chervet Getting issue near getOrCreate() .... Expected 1-2 arguments, got 0

[guillaume-chervet]

Yeah, sorry @bhargavmullakuru , I forgot one parameter

import { OidcClient } from '@axa-fr/oidc-client';

const oidc = OidcClient.getOrCreate(()=>fetch)(configuration);
const demonstrationOdProofOfPossession = await oidc.generateDemonstrationOfProofOfPossessionAsync(accessToken, url.toString(), optionTmp.method);

[bhargavmullakuru]

Hi @guillaume-chervet . One more thing, are we using default encryption algorithm ES256 ?.

Is there anyway to switch between RSA256 and ES256 encryption algorithms ?

[guillaume-chervet]

hi @bhargavmullakuru , is it a blocker for you? I will try to make it configurable quickly.

[bhargavmullakuru]

@guillaume-chervet Thanks for quick responses and Yes, It's a blocker since the API team is using RSA256 encryption algorithm.

[bhargavmullakuru]

@guillaume-chervet, we can have a configuration property, so that user can switch algorithm to RSA256 or ES256. whichever needed. :)

[guillaume-chervet]

I am searching how to do this.

I do not find which one it can be => https://github.com/diafygi/webcrypto-examples

[bhargavmullakuru]

@guillaume-chervet ... There are lot of names with RSA. Basically I was getting API error like.

{
    "error": {
        "status": "401 Unauthorized",
        "detail": "Invalid Token:java.lang.ClassCastException: org.jose4j.jwk.EllipticCurveJsonWebKey incompatible with org.jose4j.jwk.RsaJsonWebKey"
    }
}

They are using RSASSA-PKCS1-v1_5 .. link is https://github.com/diafygi/webcrypto-examples?tab=readme-ov-file#rsassa-pkcs1-v1_5

We need to configure this algorithm I think. Thanks.

[guillaume-chervet]

Hi @bhargavmullakuru thank you for the informations. Are you using keycloack? So that i can reproduce it.

[bhargavmullakuru]

We are not using any keycloack @guillaume-chervet .

[guillaume-chervet]

Do you have your openid wellknow url content? Accepted Algorithms should be listed in there.

[bhargavmullakuru]

@guillaume-chervet They are accepting only RSASSA-PKCS1-v1_5

[bhargavmullakuru]

hi @guillaume-chervet any luck ?

[guillaume-chervet]

Hi @bhargavmullakuru ,

I'am on it :) I wil publishd some alpha, I have no way to test it with a oidc server.

[bhargavmullakuru]

@guillaume-chervet . I will test it.

[guillaume-chervet]

Hi @bhargavmullakuru ,

7.13.16-alpha.1275 version should do the job. You can look at the pr readme configuration to understand how to configure it.

I cannot test it properly.

[bhargavmullakuru]

Cool. thank you very much @guillaume-chervet . Let me get latest module and verify it. I will post updates here.

[bhargavmullakuru]

Hi @guillaume-chervet, I'm getting Parse error. Could you pls give me sample configuration for RSASSA-PKCS1-v1_5 Thanks in advance.

[guillaume-chervet]

Hi @bhargavmullakuru ,

I will be few days away from computer. Until thursday. I will try with a RSASSA-PKCS1-v1_5 configuration. Which configuration are you using? Where does it crash?

[bhargavmullakuru]

@guillaume-chervet ... Happy vacation. If you have already tried, Can you share me the configuration object. So that I will try to implement and try it.

[guillaume-chervet]

Here you will find the default configuration @bhargavmullakuru : https://github.com/AxaFrance/oidc-client/blob/fa0dbab7d0cc41ea9cf3faef1aa763a3eff272cc/packages/oidc-client/src/jwt.ts#L61

[bhargavmullakuru]

Hi @guillaume-chervet Just an update, Through our config below jwt was not generating properly. The configuration i've used and jwt was generating fine. But something is not fine where as both tokens were not matching.

demonstrating_proof_of_possession_configuration: {
      importKeyAlgorithm: {
        name: "RSASSA-PKCS1-v1_5",
        hash: { name: "SHA-256" }, //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
      },
      signAlgorithm: { name: "RSASSA-PKCS1-v1_5", hash: { name: "SHA-256" } },
      generateKeyAlgorithm: {
        name: "RSASSA-PKCS1-v1_5",
        modulusLength: 2048, //can be 1024, 2048, or 4096
        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
        hash: { name: "SHA-256" }, //can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
      },
      digestAlgorithm: { name: "SHA-256" },
      jwtHeaderAlgorithm: "RS256",
    },

Our generated token screenshot was attached below.

in the other side, the working jwt generated through postman was working fine as attached below.

the post man script which was used, which is working fine.

var uuid = require('uuid');

var navigator = {}; //fake a navigator object for the lib
var window = {}; //fake a window object for the lib
eval(postman.getGlobalVariable("jsrsasign-js")); //import javascript jsrsasign

// generate a key pair
let kp = KEYUTIL.generateKeypair("RSA", 2048);
jwkPrv = KEYUTIL.getJWK(kp.prvKeyObj);
jwkPub = KEYUTIL.getJWK(kp.pubKeyObj);

console.log(`jwkPub=${JSON.stringify(jwkPub)}`)

pm.collectionVariables.set("dpopProofPrv", JSON.stringify(jwkPrv));
pm.collectionVariables.set("dpopProofPub", JSON.stringify(jwkPub));

// Set headers for JWT
var header = {
    "alg" : "RS256",
    "typ" : "dpop+jwt",
    "jwk" : jwkPub
};

var tenant = pm.environment.get("tenant");
var currentTimestamp = Math.floor(Date.now() / 1000);
var claims = {
    "jti": uuid.v4(),
    'iat': currentTimestamp,
    'exp': currentTimestamp + 1*1800,
    "htm": "POST",
    "htu": `https://idpstg.ice.ibmcloud.com/oauth2/token`,
}

var sHeader = JSON.stringify(header);
var sPayload = JSON.stringify(claims);
var signedToken = KJUR.jws.JWS.sign(header.alg, sHeader, sPayload, KEYUTIL.getKey(jwkPrv));

console.log(`DEBUG: DPoP proof=${signedToken}`);
pm.environment.set("dpop_proof", signedToken);

[bhargavmullakuru]

@guillaume-chervet Seems like we are missing something while setting headers in packages/oidc-client/src/jwt.ts

[guillaume-chervet]

hi @bhargavmullakuru ,

i'am back. When i try your configuration I have an invalid signature. I will try to find why.

[guillaume-chervet]

@bhargavmullakuru , I have understood what to do with all your information.

[guillaume-chervet]

hi @bhargavmullakuru ,

pretty sure that 7.13.16-beta.1276 version works for you :) !

[bhargavmullakuru]

Hi @guillaume-chervet ... I used the version you mentioned above. It was generating ES256 dpop by default. Did you changed some configuration settings ?

[guillaume-chervet]

Hi @bhargavmullakuru , i have tester with this configuration in comments inside the demo

https://github.com/AxaFrance/oidc-client/blob/main/examples%2Freact-oidc-demo%2Fsrc%2FMultiAuth.tsx#L128

[bhargavmullakuru]

@guillaume-chervet actually it was not working with that version. I used 7.15.0-alpha.1286 and it worked. Thanks for your help. 🙏🏼

[guillaume-chervet]

Hi @bhargavmullakuru it should work with that 7.14.0 stable version :)

Thank you so much for all your information that help a lot! DPOP is an awesome feature.

[bhargavmullakuru]

Thanks @guillaume-chervet . It's working with stable version now.

[bhargavmullakuru]

@guillaume-chervet Can i close this issue ?

[guillaume-chervet]

Sure yes !