DPoP verification in UserInfo endpoint #22240
Conversation
| @@ -251,6 +254,18 @@ private Response issueUserInfo() { | |||
| } | |||
| } | |||
|
|
|||
| if (Profile.isFeatureEnabled(Profile.Feature.DPOP)) { | |||
| if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseDPoP() || request.getHttpHeaders().getHeaderString(DPoPUtil.DPOP_HTTP_HEADER) != null) { | |||
There was a problem hiding this comment.
This means that if client doesn't require DPoP, but still DPoP was used during authentication, the validation won't be done in case that DPoP header is not present in UserInfo endpoint.
To me, it would makes sense to require validate DPoP always if it was used during authentication? In case that accessToken contains thumbprint, it means that DPoP was used during authentication and in that case, it might be always verified? So I can think about something like this:
if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseDPoP() || accessTokenHasDPoPThumbprint()) {
WDYT? Can that work?
There was a problem hiding this comment.
Yes, you are right. The current PR bypasses the DPoP verification when a client sends DPoP bound access token without DPoP proof header. I will fix the PR as you suggested.
There was a problem hiding this comment.
Actually, I think that if we address #21919, the token type should be set as DPoP. So in that case, the check can be even simpler as:
if (OIDCAdvancedConfigWrapper.fromClientModel(clientModel).isUseDPoP() || DPoPUtil.DPOP_TOKEN_TYPE.equals(token.getType())) {
or something like that.
There was a problem hiding this comment.
Yes, I used DPoPUtil.DPOP_TOKEN_TYPE.equals(token.getType()).
83f3238 to
142da2e
Compare
|
@tnorimat I think I guess that it would be possibly needed also to update some checks - like |
142da2e to
719e266
Compare
|
@mposolda I resolved the errors of the CI tests. Could you check the revised PR? |
|
@tnorimat Nice, Thanks |
closes #22215