Closed bifurcation closed 3 years ago
For the record, there's no need for these two libraries to interoperate all the time. openid-client simply implemented draft-01 that it also linked to from the readme.
Ah, sorry, I missed in the documentation that this library was still on draft-01. In any case, thanks for the quick action!
Describe the bug I attempted to create a simple client/server example of DPoP usage, using node-openid-client and node-oidc-provider. The client logs in using DPoP, then attempts to fetch
userinfo
. Theuserinfo
request fails withinvalid_token (invalid DPoP key binding)
. Looking into the server side more closely, it appears that theuserinfo
request does have a DPoP signature, but it is missing theath
field. According to draft-03 of DPoP, it seems like this field is required "[w]hen the DPoP proof is used in conjunction with the presentation of an access token", so the server's interpretation is correct here.So I think what is needed here is to extend the call to
dpopProof()
in therequest()
method so that it populates theath
parameter in the DPoP payload when the request is made with an access token.To Reproduce
Provider and client JS code provided in this gist. The scripts depend on a few modules, and assume that the domain names
oidc-client.invalid
andoidc-provider.invalid
are mapped to localhost in/etc/hosts
or equivalent.Steps to reproduce the behaviour:
node server.js
NODE_TLS_REJECT_UNAUTHORIZED=0 node client.js
Expected behaviour The
client.js
script prints a set of claims returned by the provider.Environment:
Additional context Add any other context about the problem here.