Startseite Erkunden Hilfe
Registrieren Anmelden
github
/
spring-security
Mirror von https://github.com/spring-projects/spring-security
2
0
Fork 0
Dateien Issues 0 Wiki
Struktur: 36f1de945f
Branches Tags
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
oauth2
/
resource-server
/
dpop-tokens.adoc

dpop-tokens.adoc 10 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212 
  1. [[oauth2-dpop-bound-access-tokens]]
    2. 

  2. = OAuth 2.0 DPoP-bound Access Tokens
    3. 

  3. 

  4. https://datatracker.ietf.org/doc/html/rfc9449[RFC 9449 OAuth 2.0 Demonstrating Proof of Possession (DPoP)] is an application-level mechanism for sender-constraining an access token.
    5. 

  5. 

  6. The primary goal of DPoP is to prevent unauthorized or illegitimate clients from using leaked or stolen access tokens, by binding an access token to a public key upon issuance by the authorization server and requiring that the client proves possession of the corresponding private key when using the access token at the resource server.
    7. 

  7. 

  8. Access tokens that are sender-constrained via DPoP stand in contrast to the typical bearer token, which can be used by any client in possession of the access token.
    9. 

  9. 

  10. DPoP introduces the concept of a https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwts[DPoP Proof], which is a JWT created by the client and sent as a header in an HTTP request.
    11. 

  11. A client uses a DPoP proof to prove the possession of a private key corresponding to a certain public key.
    12. 

  12. 

  13. When the client initiates an <<dpop-access-token-request,access token request>>, it attaches a DPoP proof to the request in an HTTP header.
    14. 

  14. The authorization server binds (sender-constrains) the access token to the public key associated in the DPoP proof.
    15. 

  15. 

  16. When the client initiates a <<dpop-protected-resource-request,protected resource request>>, it again attaches a DPoP proof to the request in an HTTP header.
    17. 

  17. 

  18. The resource server obtains information about the public key bound to the access token, either directly in the access token (JWT) or via the token introspection endpoint.
    19. 

  19. The resource server then verifies that the public key bound to the access token matches the public key in the DPoP proof.
    20. 

  20. It also verifies that the access token hash in the DPoP proof matches the access token in the request.
    21. 

  21. 

  22. [[dpop-access-token-request]]
    23. 

  23. == DPoP Access Token Request
    24. 

  24. 

  25. To request an access token that is bound to a public key using DPoP, the client MUST provide a valid DPoP proof in the `DPoP` header when making an access token request to the authorization server token endpoint.
    26. 

  26. This is applicable for all access token requests regardless of authorization grant type (e.g. `authorization_code`, `refresh_token`, `client_credentials`, etc).
    27. 

  27. 

  28. The following HTTP request shows an `authorization_code` access token request with a DPoP proof in the `DPoP` header:
    29. 

  29. 

  30. [source,shell]
    31. 

  31. ----
    32. 

  32. POST /oauth2/token HTTP/1.1
    33. 

  33. Host: server.example.com
    34. 

  34. Content-Type: application/x-www-form-urlencoded
    35. 

  35. DPoP: eyJraWQiOiJyc2EtandrLWtpZCIsInR5cCI6ImRwb3Arand0IiwiYWxnIjoiUlMyNTYiLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJraWQiOiJyc2EtandrLWtpZCIsIm4iOiIzRmxxSnI1VFJza0lRSWdkRTNEZDdEOWxib1dkY1RVVDhhLWZKUjdNQXZRbTdYWE5vWWttM3Y3TVFMMU5ZdER2TDJsOENBbmMwV2RTVElOVTZJUnZjNUtxbzJRNGNzTlg5U0hPbUVmem9ST2pRcWFoRWN2ZTFqQlhsdW9DWGRZdVlweDRfMXRmUmdHNmlpNFVoeGg2aUk4cU5NSlFYLWZMZnFoYmZZZnhCUVZSUHl3QmtBYklQNHgxRUFzYkM2RlNObWtoQ3hpTU5xRWd4YUlwWThDMmtKZEpfWklWLVdXNG5vRGR6cEtxSGN3bUI4RnNydW1sVllfRE5WdlVTRElpcGlxOVBiUDRIOTlUWE4xbzc0Nm9SYU5hMDdycTFob0NnTVNTeS04NVNhZ0NveGxteUUtRC1vZjlTc01ZOE9sOXQwcmR6cG9iQnVoeUpfbzVkZnZqS3cifX0.eyJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9zZXJ2ZXIuZXhhbXBsZS5jb20vb2F1dGgyL3Rva2VuIiwiaWF0IjoxNzQ2ODA2MzA1LCJqdGkiOiI0YjIzNDBkMi1hOTFmLTQwYTUtYmFhOS1kZDRlNWRlYWM4NjcifQ.wq8gJ_G6vpiEinfaY3WhereqCCLoeJOG8tnWBBAzRWx9F1KU5yAAWq-ZVCk_k07-h6DIqz2wgv6y9dVbNpRYwNwDUeik9qLRsC60M8YW7EFVyI3n_NpujLwzZeub_nDYMVnyn4ii0NaZrYHtoGXOlswQfS_-ET-jpC0XWm5nBZsCdUEXjOYtwaACC6Js-pyNwKmSLp5SKIk11jZUR5xIIopaQy521y9qJHhGRwzj8DQGsP7wMZ98UFL0E--1c-hh4rTy8PMeWCqRHdwjj_ry_eTe0DJFcxxYQdeL7-0_0CIO4Ayx5WHEpcUOIzBRoN32RsNpDZc-5slDNj9ku004DA
    36. 

  36. 

  37. grant_type=authorization_code\
    38. 

  38. &client_id=s6BhdRkqt\
    39. 

  39. &code=SplxlOBeZQQYbYS6WxSbIA\
    40. 

  40. &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb\
    41. 

  41. &code_verifier=bEaL42izcC-o-xBk0K2vuJ6U-y1p9r_wW2dFWIWgjz-
    42. 

  42. ----
    43. 

  43. 

  44. The following shows a representation of the DPoP Proof JWT header and claims:
    45. 

  45. 

  46. [source,json]
    47. 

  47. ----
    48. 

  48. {
    49. 

  49.   "typ": "dpop+jwt",
    50. 

  50.   "alg": "RS256",
    51. 

  51.   "jwk": {
    52. 

  52.     "kty": "RSA",
    53. 

  53.     "e": "AQAB",
    54. 

  54.     "n": "3FlqJr5TRskIQIgdE3Dd7D9lboWdcTUT8a-fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRvc5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4_1tfRgG6ii4Uhxh6iI8qNMJQX-fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2kJdJ_ZIV-WW4noDdzpKqHcwmB8FsrumlVY_DNVvUSDIipiq9PbP4H99TXN1o746oRaNa07rq1hoCgMSSy-85SagCoxlmyE-D-of9SsMY8Ol9t0rdzpobBuhyJ_o5dfvjKw"
    55. 

  55.   }
    56. 

  56. }
    57. 

  57. ----
    58. 

  58. 

  59. [source,json]
    60. 

  60. ----
    61. 

  61. {
    62. 

  62.   "htm": "POST",
    63. 

  63.   "htu": "https://server.example.com/oauth2/token",
    64. 

  64.   "iat": 1746806305,
    65. 

  65.   "jti": "4b2340d2-a91f-40a5-baa9-dd4e5deac867"
    66. 

  66. }
    67. 

  67. ----
    68. 

  68. 

  69. The following code shows an example of how to generate the DPoP Proof JWT:
    70. 

  70. 

  71. [tabs]
    72. 

  72. ======
    73. 

  73. Java::
    74. 

  74. +
    75. 

  75. [source,java,role="primary"]
    76. 

  76. ----
    77. 

  77. RSAKey rsaKey = ...
    78. 

  78. JWKSource<SecurityContext> jwkSource = (jwkSelector, securityContext) -> jwkSelector
    79. 

  79. 		.select(new JWKSet(rsaKey));
    80. 

  80. NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSource);
    81. 

  81. 

  82. JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256)
    83. 

  83. 		.type("dpop+jwt")
    84. 

  84. 		.jwk(rsaKey.toPublicJWK().toJSONObject())
    85. 

  85. 		.build();
    86. 

  86. JwtClaimsSet claims = JwtClaimsSet.builder()
    87. 

  87. 		.issuedAt(Instant.now())
    88. 

  88. 		.claim("htm", "POST")
    89. 

  89. 		.claim("htu", "https://server.example.com/oauth2/token")
    90. 

  90. 		.id(UUID.randomUUID().toString())
    91. 

  91. 		.build();
    92. 

  92. 

  93. Jwt dPoPProof = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, claims));
    94. 

  94. ----
    95. 

  95. ======
    96. 

  96. 

  97. After the authorization server successfully validates the DPoP proof, the public key from the DPoP proof will be bound (sender-constrained) to the issued access token.
    98. 

  98. 

  99. The following access token response shows the `token_type` parameter as `DPoP` to signal to the client that the access token was bound to its DPoP proof public key:
    100. 

  100. 

  101. [source,shell]
    102. 

  102. ----
    103. 

  103. HTTP/1.1 200 OK
    104. 

  104. Content-Type: application/json
    105. 

  105. Cache-Control: no-store
    106. 

  106. 

  107. {
    108. 

  108.  "access_token": "Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU",
    109. 

  109.  "token_type": "DPoP",
    110. 

  110.  "expires_in": 2677
    111. 

  111. }
    112. 

  112. ----
    113. 

  113. 

  114. [[dpop-public-key-confirmation]]
    115. 

  115. == Public Key Confirmation
    116. 

  116. 

  117. Resource servers MUST be able to identify whether an access token is DPoP-bound and verify the binding to the public key of the DPoP proof.
    118. 

  118. The binding is accomplished by associating the public key with the access token in a way that can be accessed by the resource server, such as embedding the public key hash in the access token directly (JWT) or through token introspection.
    119. 

  119. 

  120. When an access token is represented as a JWT, the public key hash is contained in the `jkt` claim under the confirmation method (`cnf`) claim.
    121. 

  121. 

  122. The following example shows the claims of a JWT access token containing a `cnf` claim with a `jkt` claim, which is the JWK SHA-256 Thumbprint of the DPoP proof public key:
    123. 

  123. 

  124. [source,json]
    125. 

  125. ----
    126. 

  126. {
    127. 

  127.   "sub":"user@example.com",
    128. 

  128.   "iss":"https://server.example.com",
    129. 

  129.   "nbf":1562262611,
    130. 

  130.   "exp":1562266216,
    131. 

  131.   "cnf":
    132. 

  132.   {
    133. 

  133.     "jkt":"CQMknzRoZ5YUi7vS58jck1q8TmZT8wiIiXrCN1Ny4VU"
    134. 

  134.   }
    135. 

  135. }
    136. 

  136. ----
    137. 

  137. 

  138. [[dpop-protected-resource-request]]
    139. 

  139. == DPoP Protected Resource Request
    140. 

  140. 

  141. Requests to DPoP-protected resources MUST include both a DPoP proof and the DPoP-bound access token.
    142. 

  142. The DPoP proof MUST include the `ath` claim with a valid hash of the access token.
    143. 

  143. The resource server will calculate the hash of the received access token and verify that it is the same as the `ath` claim in the DPoP proof.
    144. 

  144. 

  145. A DPoP-bound access token is sent using the `Authorization` request header with an authentication scheme of `DPoP`.
    146. 

  146. 

  147. The following HTTP request shows a protected resource request with a DPoP-bound access token in the `Authorization` header and the DPoP proof in the `DPoP` header:
    148. 

  148. 

  149. [source,shell]
    150. 

  150. ----
    151. 

  151. GET /resource HTTP/1.1
    152. 

  152. Host: resource.example.com
    153. 

  153. Authorization: DPoP Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU
    154. 

  154. DPoP: eyJraWQiOiJyc2EtandrLWtpZCIsInR5cCI6ImRwb3Arand0IiwiYWxnIjoiUlMyNTYiLCJqd2siOnsia3R5IjoiUlNBIiwiZSI6IkFRQUIiLCJraWQiOiJyc2EtandrLWtpZCIsIm4iOiIzRmxxSnI1VFJza0lRSWdkRTNEZDdEOWxib1dkY1RVVDhhLWZKUjdNQXZRbTdYWE5vWWttM3Y3TVFMMU5ZdER2TDJsOENBbmMwV2RTVElOVTZJUnZjNUtxbzJRNGNzTlg5U0hPbUVmem9ST2pRcWFoRWN2ZTFqQlhsdW9DWGRZdVlweDRfMXRmUmdHNmlpNFVoeGg2aUk4cU5NSlFYLWZMZnFoYmZZZnhCUVZSUHl3QmtBYklQNHgxRUFzYkM2RlNObWtoQ3hpTU5xRWd4YUlwWThDMmtKZEpfWklWLVdXNG5vRGR6cEtxSGN3bUI4RnNydW1sVllfRE5WdlVTRElpcGlxOVBiUDRIOTlUWE4xbzc0Nm9SYU5hMDdycTFob0NnTVNTeS04NVNhZ0NveGxteUUtRC1vZjlTc01ZOE9sOXQwcmR6cG9iQnVoeUpfbzVkZnZqS3cifX0.eyJodG0iOiJHRVQiLCJodHUiOiJodHRwczovL3Jlc291cmNlLmV4YW1wbGUuY29tL3Jlc291cmNlIiwiYXRoIjoiZlVIeU8ycjJaM0RaNTNFc05yV0JiMHhXWG9hTnk1OUlpS0NBcWtzbVFFbyIsImlhdCI6MTc0NjgwNzEzOCwianRpIjoiM2MyZWU5YmItMDNhYy00MGNmLWI4MTItMDBiZmJhMzQxY2VlIn0.oS6NwjURR6wZemh1ZBNiBjycGeXwnkguLtgiKdCjQSEhFQpEJm04bBa0tdfZgWT17Z2mBgddnNQSkROzUGfssg8rBBldZXOAiduF-whtEGZA-pXXWJilXrwH3Glb6hIOMZOVmIH8fmYCDmqn-sE_DmDIsv57Il2-jdZbgeDcrxADO-6E5gsuNf1jvy7qqHq7INrKX6jRuydti_Re35lecvaAWfTyD7s7tQ_-3x_xLxxPwf_eA6z8OWbc58O2PYoUeO2JKLiOIg6UVZOZzxLEWV42WIKjha_kkoykvsf98W2y8pWOEr65u0VPsn5esw2X3I1eFL_A-XkxstZHRaGXJg
    155. 

  155. ----
    156. 

  156. 

  157. The following shows a representation of the DPoP Proof JWT header and claims with the `ath` claim:
    158. 

  158. 

  159. [source,json]
    160. 

  160. ----
    161. 

  161. {
    162. 

  162.   "typ": "dpop+jwt",
    163. 

  163.   "alg": "RS256",
    164. 

  164.   "jwk": {
    165. 

  165.     "kty": "RSA",
    166. 

  166.     "e": "AQAB",
    167. 

  167.     "n": "3FlqJr5TRskIQIgdE3Dd7D9lboWdcTUT8a-fJR7MAvQm7XXNoYkm3v7MQL1NYtDvL2l8CAnc0WdSTINU6IRvc5Kqo2Q4csNX9SHOmEfzoROjQqahEcve1jBXluoCXdYuYpx4_1tfRgG6ii4Uhxh6iI8qNMJQX-fLfqhbfYfxBQVRPywBkAbIP4x1EAsbC6FSNmkhCxiMNqEgxaIpY8C2kJdJ_ZIV-WW4noDdzpKqHcwmB8FsrumlVY_DNVvUSDIipiq9PbP4H99TXN1o746oRaNa07rq1hoCgMSSy-85SagCoxlmyE-D-of9SsMY8Ol9t0rdzpobBuhyJ_o5dfvjKw"
    168. 

  168.   }
    169. 

  169. }
    170. 

  170. ----
    171. 

  171. 

  172. [source,json]
    173. 

  173. ----
    174. 

  174. {
    175. 

  175.   "htm": "GET",
    176. 

  176.   "htu": "https://resource.example.com/resource",
    177. 

  177.   "ath": "fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQEo",
    178. 

  178.   "iat": 1746807138,
    179. 

  179.   "jti": "3c2ee9bb-03ac-40cf-b812-00bfba341cee"
    180. 

  180. }
    181. 

  181. ----
    182. 

  182. 

  183. The following code shows an example of how to generate the DPoP Proof JWT:
    184. 

  184. 

  185. [tabs]
    186. 

  186. ======
    187. 

  187. Java::
    188. 

  188. +
    189. 

  189. [source,java,role="primary"]
    190. 

  190. ----
    191. 

  191. RSAKey rsaKey = ...
    192. 

  192. JWKSource<SecurityContext> jwkSource = (jwkSelector, securityContext) -> jwkSelector
    193. 

  193. 		.select(new JWKSet(rsaKey));
    194. 

  194. NimbusJwtEncoder jwtEncoder = new NimbusJwtEncoder(jwkSource);
    195. 

  195. 

  196. String accessToken = ...
    197. 

  197. 

  198. JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256)
    199. 

  199. 		.type("dpop+jwt")
    200. 

  200. 		.jwk(rsaKey.toPublicJWK().toJSONObject())
    201. 

  201. 		.build();
    202. 

  202. JwtClaimsSet claims = JwtClaimsSet.builder()
    203. 

  203. 		.issuedAt(Instant.now())
    204. 

  204. 		.claim("htm", "GET")
    205. 

  205. 		.claim("htu", "https://resource.example.com/resource")
    206. 

  206. 		.claim("ath", sha256(accessToken))
    207. 

  207. 		.id(UUID.randomUUID().toString())
    208. 

  208. 		.build();
    209. 

  209. 

  210. Jwt dPoPProof = jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader, claims));
    211. 

  211. ----
    212. 

  212. ======
    213.