Demonstrating Proof of Possession (DPoP) header support in Okta SDK

sachinsatav commented 9 months ago

Describe the bug?

Can we add DPoP support to Okta SDK so that it can get client_credentials token for API use wherein DPoP support is enabled for application? Currently Okta is returning an error -

Unhandled exception. Okta.Sdk.Client.ApiException: Error calling GetBearerToken: {"error":"invalid_dpop_proof","error_description":"The DPoP proof JWT header is missing."}
at Okta.Sdk.Api.OAuthApi.GetBearerTokenWithHttpInfoAsync(CancellationToken cancellationToken) at Okta.Sdk.Api.OAuthApi.GetBearerTokenAsync(CancellationToken cancellationToken) at Okta.Sdk.Client.DefaultOAuthTokenProvider.RequestAccessTokenAsync(CancellationToken cancellationToken) at Okta.Sdk.Client.DefaultOAuthTokenProvider.GetAccessTokenAsync(Boolean forceRenew, CancellationToken cancellationToken)

What is expected to happen?

Expected to get client_credentials token from Okta which would be used to call Okta APIs

What is the actual behavior?

Throws an exception - Unhandled exception. Okta.Sdk.Client.ApiException: Error calling GetBearerToken: {"error":"invalid_dpop_proof","error_description":"The DPoP proof JWT header is missing."}
at Okta.Sdk.Api.OAuthApi.GetBearerTokenWithHttpInfoAsync(CancellationToken cancellationToken) at Okta.Sdk.Api.OAuthApi.GetBearerTokenAsync(CancellationToken cancellationToken) at Okta.Sdk.Client.DefaultOAuthTokenProvider.RequestAccessTokenAsync(CancellationToken cancellationToken) at Okta.Sdk.Client.DefaultOAuthTokenProvider.GetAccessTokenAsync(Boolean forceRenew, CancellationToken cancellationToken)

Reproduction Steps?

Steps to produce the issue:

Enable DPoP on your API Service app -
Try to call any api with okta configuration. e.g. IGroupApi and it throws error

var oktaConfiguration = new Configuration()
{
    OktaDomain = configuration.GetValue<string>("OktaApi:Domain"),
    AuthorizationMode = AuthorizationMode.PrivateKey,
    ClientId = configuration.GetValue<string>("OktaApi:ClientId"),
    Scopes = new HashSet<string> { "okta.groups.manage" },
    PrivateKey = new JsonWebKeyConfiguration(configuration.GetValue<string>("OktaApi:PrivateKey"))
};
IGroupApi groupApi = new GroupApi(oktaConfiguration);
var groups = await groupApi.ListGroups().ToListAsync();

Additional Information?

No response

.NET Version

8

SDK Version

8

OS version

No response

laura-rodriguez commented 9 months ago

Hi @sachinsatav, Thanks for your feature request. I'll file an internal ticket for the team to review and prioritize.

Internal Ref: OKTA-700583

ivanezeigbo-okta commented 8 months ago

@sachinsatav the team is working on adding DPop support for all our SDKs. To use DPop right now, you would have to add the DPop header in your requests which is created by using the client's private key to sign a JWT containing the client's public key, HTTP request URL and method. The team is currently working on implementing this support in the SDKs.

mehdi-eaton commented 6 months ago

@sachinsatav the team is working on adding DPop support for all our SDKs. To use DPop right now, you would have to add the DPop header in your requests which is created by using the client's private key to sign a JWT containing the client's public key, HTTP request URL and method. The team is currently working on implementing this support in the SDKs.

@ivanezeigbo-okta Can you help me with some sample how to do this? Please. How to add DPop header in requests , -(client's private key to sign a JWT containing the client's public key, HTTP request URL and method.) Does this means I can not use sdk directly and need to create a jwt token and then get access token to call the sdk apis?

laura-rodriguez commented 6 months ago

Hi @mehdi-eaton @sachinsatav ! We're currently working on adding support for DPoP. Feel free to follow this PR for updates.

Thank you!

laura-rodriguez commented 5 months ago

Feature available in 8.0.0

okta / okta-sdk-dotnet