Description
Description
This is about adding DPoP validation to UserInfo endpoint.
Few points to this:
-
DPoP specification [1] does not mention anything about UserInfo endpoint. I guess it is related to the fact that DPoP is "OAuth" based specification when UserInfo is "OpenID Connect" specific thing
-
OIDC specification part about UserInfo endpoint [2] talks only about "Bearer" tokens. It does not mention "DPoP".
-
For the MTLS HoK access tokens, we're doing validation at UserInfo endpoint [3]
Discussed with @tnorimat and we agreed that we should add the validations to UserInfo endpoint and require that DPoP header is present for DPoP tokens.
This means that DPoP access token won't be able to call UserInfo endpoint when using just Bearer header, which is good thing IMO as it would be usually just client itself, which will be able to invoke UserInfo endpoint.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-11
[2] https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
[3] https://github.com/keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/endpoints/UserInfoEndpoint.java#L245-L252
Discussion
No response
Motivation
No response
Details
No response