How can CIBA be used together with DPoP?

[ciprian-radu-visma]

Which version of Duende IdentityServer are you using? We are using Duende IdentityServer version 6.3.8.

Which version of .NET are you using? We are using .NET version 6.0.19.

Describe the bug

This is not a bug report. It is a question. We have a mobile app which communicates with an API that supports only DPoP. Our Duende Identity Server can issue DPoP tokens to the mobile app.

We would like to make our mobile app to use the Client Initiated Backchannel Authentication (CIBA) flow. With respect to https://docs.duendesoftware.com/identityserver/v7/ui/images/ciba.png our mobile app would be the Client. The user would be notified in the web browser to make the authorization.

Using https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v6/UserInteraction/Ciba we saw how we could use CIBA for our use case. However, the CIBA flow issues Bearer tokens.

How can we adapt this flow to issue a DPoP token?

So far we thought about modifying the BackchannelAuthenticationRequest and put the DPoP header, while the Client is configured with RequireDPoP = true. We are also thinking that maybe we could exchange the obtained Bearer token for a DPoP token.

Is is possible to achieve what we want? What are your recommendations? Maybe you can given us a code sample or more details. Thank you in advance!

To Reproduce

Run https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v6/UserInteraction/Ciba

Expected behavior

Bearer tokens are generated, which is correct but, can we make it to generate DPoP tokens?

[josephdecock]

Hi, this is an interesting combination that I don't think we have a sample for, but I would be interested in considering in the future.

I haven't tried this yet, but my first thought would be to start with the latest Ciba sample (https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/UserInteraction/Ciba has some updates that aren't in the v6 sample you linked to). If you update the IdentityModel package reference to version 7.0.0, you should have support for both Ciba and DPoP in the client library, and you would basically need to produce a proof token and add it to the backchannel authentication request, like you're suggesting.

I would give that a try and if you run into problems we can debug with you and possibly flesh out the idea of a CIBA/DPoP sample.

Finally, I would avoid token exchange, because you would have to start with a token that was not sender constrained, and then you'd exchange it for a sender constrained (DPoP) token. While you might be able to lock down the not sender constrained token to only be used for exchange, just by existing I think the security benefits of a sender constrained token are undermined somewhat.

[ciprian-radu-visma]

Hi, thank you for your reply @josephdecock!

CIBA with DPoP indeed works. I was able to adapt the https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v6/UserInteraction/Ciba sample. Here's a draft: https://github.com/ciprian-radu-visma/Samples/pull/1 We'll try to integrate this approach in our system.

Identity Server v7 does not seem to be needed but, I did bump it from 6.0.0 to 6.3.8 (the version se use now). Please let me know if we actually need to upgrade to Identity Server v7. Maybe there will be issues (which we're not aware so far) if we don't do this, for this use case.

[josephdecock]

Sounds great. There isn't actually a need to upgrade to identity server 7. The v7 version of the sample has had some general code cleanup done throughout (including in the other projects) but that isn't ultimately important. It was mostly just code style improvements, as I recall.

You should probably start thinking about eventually upgrading to IdentityServer 7 and .NET 8, because IdentityServer 6 and .NET 6 will reach end of support in November. But it isn't needed for dpop + ciba.