Manage custom headers in GET/POST requests and respons with (neded in DPOP)

[andrea-dintino]

DPOP (https://datatracker.ietf.org/doc/html/rfc9449) requires proof-of-possession to transit inside HTTP requests. DPOP requires an ecdsa signature on P-256 performed on a token and packaged (somehow) in the headers. The signature will occur in TEE (also to be managed via Slangroom?) ideally (!) in the same script as the GET/POST creation.

• Slangroom should offer full manipulation of the headers in request creation:
  • accepting a string dictionary as input for the headers
  • producing a GET/POST with the string dictionary in the header
• In response: it should extract the header to a string dictionary
• Slangroom could also manage the DPOP using synthetic statements:
  • A statement (C -> S) to produce the first DPOP request (optionally accepting a string dictionary as parameter?)
  • A statement (S -> C) to produce the token response
  • A statement (C) to extract the token from the response
  • (if possible) A statement (C) to produce the signature in TEE
  • A statement (C -> S) to produce the DPOP signature request
  • A statement (S) to verify the DPOP signature

Examples:

  curl --request POST
  --url 'https://${yourOktaDomain}/oauth2/default/v1/token' \
  --header 'Accept: application/json' \
  --header 'DPoP: eyJ0eXAiOiJkcG9w.....H8-u9gaK2-oIj8ipg' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'grant_type=authorization_code' \
  --data 'redirect_uri=https://${yourOktaDomain}/app/oauth2' \
  --data 'code=XGa_U6toXP0Rvc.....SnHO6bxX0ikK1ss-nA' \
  --data 'code_verifier=k9raCwW87d_wYC.....zwTkqPqksT6E_s' \
  --data 'client_id=${clientId}'

curl -v -X GET \
  --header 'Accept: application/json' \
  --header 'Content-Type: application/json' \
  --header 'Authorization: DPoP eyJraWQiOiJRVX.....wt7oSakPDUg' \
  --header 'DPoP: eyJ0eXAiOiJkcG9w.....H8-u9gaK2-oIj8ipg' \
  "https://resource.example.org"

Taken from: https://developer.okta.com/docs/guides/dpop/main/#build-the-request

Reference implementation: https://github.com/italia/eudi-wallet-it-python/tree/dev/pyeudiw/oauth2/dpop

[denizenging]

It already allows you to specify a string dictionary for headers of all supported http methods:

Given I connect to 'host' and send object 'dataToPost' and send headers 'stringDict" and do post

If this isn't something you're seeking for, please let me know.