Request for information about the OpenID Connect and DPoP

[drupol]

Hello,

My name is Pol Dellaiera, I'm a developer working as a consultant for European Commission(EC). I'm a very lucky worker because everything that I do is OpenSource, you can find the work that we do here: https://github.com/ecphp/

I published PHP libraries and Symfony bundles for authentication, especially CAS.

Recently, I've been given the task to create a bundle that will facilitate the authentication of requests at EC.

The protocol in use is OpenID Connect (DPoP).

Basically a request with a specific header Authorization: pop AT-123456-somethingsomething comes in and I need to authenticate it, and get the claims.

While I'm not an expert into authentication, I'm checking on Github the PHP libraries that could help doing this, and there are not a lot. Documentation is not big either.

My question is then the following, is this bundle could help into doing a standard Symfony bundle for OpenID Connect authentication supporting DPoP ?

Thanks !

[thomasvargiu]

Hello Pol,

I didn't know the DPoP RFC Draft and I was reading it. Honestly I think that with very small changes we can support it. Right now you can create your code to support dPoP (see below).

1. First we should create a decorator for AuthMethodInterface, in order to detect a dpop token in the Authorization header and create the DPoP JWT to inject into the request. We can also write an helper to do that on a generic PSR Request.
2. Next step, we should fix few places where we're using the Bearer token type literally, we should use the token_type returned from the IdP, this could be a BC. The problem isn't in the AuthorizationService but in the Dynamic RegistrationService and ´UserInfoService`.
3. Then we should write a validator to be used on the resource server.

If you don't need the RegistrationService or the UserInfoService until we resolve the 2nd issue, I think could be enough to implement the 1st step wriing a decorator for the AuthMethodInterface. Then you can use the AuthMethodFactory injecting the decorated AuthMethodInterfaces, using it when creating the client with the ClientBuilder. Now the token and refresh token requests should work.

I think we'll work on it to support DPoP in the future (or next days), but PRs are welcome.

[drupol]

Dear @thomasvargiu,

Thanks for your reply, this is a very good news.

However and as far as I understand (but I may be wrong), I do not need to use the whole set of features of this library. I just need to use the small subset of it.

Do you think you would have time for chat today?

Basically it would be to discuss how we can

1. Fix our needs
2. Contribute to your library

I've sent you an email already, let me know what you think.

[drupol]

This has been done and released here: https://github.com/ecphp/eu-login-api-authentication-bundle/

I'm busy writing the tests and the rest, but we have a working solution, this is great!

[drupol]

@thomasvargiu Hello! Any update on supporting the DPoP draft ?

[thomasvargiu]

I'm sorry @drupol, the issue was closed and I didn't look at it. I'm going to re-open it to remember to work on dPOP

[drupol]

Grazie!

I'll actively follow this.