search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Populate 'ath' claim in DPoP when access token is used #407

Closed bifurcation closed 3 years ago

bifurcation commented 3 years ago

Fixes #406

According to draft-03 of DPoP:

   When the DPoP proof is used in conjunction with the presentation of
   an access token, see Section 7, the DPoP proof also contains the
   following claim:

   *  "ath": hash of the access token (REQUIRED).  The value MUST be the
      result of a base64url encoding (with no padding) the SHA-256 hash
      of the ASCII encoding of the associated access token's value.

The DPoP implementation in this repository currently does not provide the ath claim when used with an access token (e.g., in userinfo() and requestResource()). This PR updates the DPoP proof construction code so that if an access token is provided, then the ath parameter is included in the proof.

bifurcation commented 3 years ago

I have also verified that this branch interoperates with node-oidc-provider, using the scripts linked in #406.

panva commented 3 years ago

@bifurcation thank you for the PR, I've made a few small adjustments and will release a new minor (this is a feat, not a fix) shortly.