panva
commented
3 years ago For the record, there's no need for these two libraries to interoperate all the time. openid-client simply implemented draft-01 that it also linked to from the readme.
Closed bifurcation closed 3 years ago
panva
commented
3 years ago For the record, there's no need for these two libraries to interoperate all the time. openid-client simply implemented draft-01 that it also linked to from the readme.
bifurcation
commented
3 years ago Ah, sorry, I missed in the documentation that this library was still on draft-01. In any case, thanks for the quick action!
Describe the bug I attempted to create a simple client/server example of DPoP usage, using node-openid-client and node-oidc-provider. The client logs in using DPoP, then attempts to fetch
userinfo. Theuserinforequest fails withinvalid_token (invalid DPoP key binding). Looking into the server side more closely, it appears that theuserinforequest does have a DPoP signature, but it is missing theathfield. According to draft-03 of DPoP, it seems like this field is required "[w]hen the DPoP proof is used in conjunction with the presentation of an access token", so the server's interpretation is correct here.So I think what is needed here is to extend the call to
dpopProof()in therequest()method so that it populates theathparameter in the DPoP payload when the request is made with an access token.To Reproduce
Provider and client JS code provided in this gist. The scripts depend on a few modules, and assume that the domain names
oidc-client.invalidandoidc-provider.invalidare mapped to localhost in/etc/hostsor equivalent.Steps to reproduce the behaviour:
node server.jsNODE_TLS_REJECT_UNAUTHORIZED=0 node client.jsExpected behaviour The
client.jsscript prints a set of claims returned by the provider.Environment:
Additional context Add any other context about the problem here.