8000 Make access Token in user info endpoint bound to the dpop proof by ahus1 · Pull Request #38334 · keycloak/keycloak · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Make access Token in user info endpoint bound to the dpop proof #38334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 31, 2025
Merged

Make access Token in user info endpoint bound to the dpop proof #38334

merged 1 commit into from
Mar 31, 2025

Conversation

ahus1
Copy link
Contributor
@ahus1 ahus1 commented Mar 21, 2025

Closes #38333

@ahus1 ahus1 self-assigned this Mar 21, 2025
@ahus1
Make access Token in user info endpoint bound to the dpop proof
7238a77 
Closes keycloak#38333

Signed-off-by: Alexander Schwartz <aschwart@redhat.com>
@ahus1 ahus1 force-pushed the is-38333-dpop-bound-access-token branch from f625a1a to 7238a77 Compare March 21, 2025 14:40
@ahus1 ahus1 marked this pull request as ready for review March 21, 2025 15:32
@ahus1 ahus1 requested review from a team as code owners March 21, 2025 15:32
@ahus1
Copy link
Contributor Author
ahus1 commented Mar 21, 2025

@tnorimat - this PR tries to refactor parts of the DPoP logic to have it in a more centralized place. It also enforces the validation of DPoP for the access token if the access token is a DPoP token in the user info endpoint.

Please review the changes when you have the time.

Thanks!

cc: @mposolda

@tnorimat
Copy link
Contributor

@ahus1 Hello, thank you for the PR. I will review the PR.

tnorimat
tnorimat approved these changes Mar 22, 2025
View reviewed changes
Copy link
Contributor
@tnorimat tnorimat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tnorimat
Copy link
Contributor

@ahus1 To check whether the PR affects FAPI 2.0 (profile using DPoP) conformance test run results by Keycloak, I ran the conformance tests against the Keycloak including the PR and confirmed that the Keycloak still can pass the conformance tests.

As I mentioned in #33942, It might be good to look for other endpoints where we should apply DPoP.
IMO, such the endpoints are ones where only a client directly receiving a DPoP type access token sends it. E.g., UserInfo Endpoint, Token Revocation Endpoint.
While we need not to apply DPoP to endpoints where other entity other than such the client (e.g., resource server) sent the access token. E.g., Token Introspection Endpoint.
because such the entity cannnot create a valid DPoP proof.

As the PR fixed, the "ath" hash claim in a DPoP proof is needed for an application to access an endpoint with a DPoP type access token and the endpoint need to verify the claim. UserInfo Endpoint is such the endpoint.
How about a DPoP type refresh token? In RFC 9449, the "ath" hash claim is not included in a DPoP proof that is sent to Token Endpoint for token refresh.
Please refer to Figure 7 of https://datatracker.ietf.org/doc/html/rfc9449#section-5.

DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6IkVDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCRnMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JEQSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiItQndDM0VTYzZhY2MybFRjIiwiaHRtIjoiUE9TVCIsImh0dSI6Imh0dHBzOi8vc2VydmVyLmV4YW1wbGUuY29tL3Rva2VuIiwiaWF0IjoxNTYyMjY1Mjk2fQ.pAqut2IRDm_De6PR93SYmGBPXpwrAk90e8cP2hjiaG5QsGSuKDYW7_X620BxqhvYC8ynrrvZLTk41mSRroapUA
->

{
  "jti": "-BwC3ESc6acc2lTc",
  "htm": "POST",
  "htu": "https://server.example.com/token",
  "iat": 1562265296
}

Examples of endpoints that can receive a refresh token are: Token Endpoint (token refresh), OIDC Logout Endpoint (token_hint), Token Revocation Endpoint, Token Introspectoin Endpoint.

Also, there are endpoints that can receive both an access token and refresh token. E.g., Token Revocation Endpoint, Token Introspection Endpoint.

@ahus1
Copy link
Contributor Author
ahus1 commented Mar 22, 2025

@tnorimat - thank you for reviewing this pull request. Let's continue the discussion in #33942

@ahus1 ahus1 enabled auto-merge (squash) March 22, 2025 14:48
@ahus1 ahus1 mentioned this pull request Mar 22, 2025
Open
@ahus1
Copy link
Contributor Author
ahus1 commented Mar 25, 2025

@mposolda - please approve and merge based on @tnorimat's approval. Thanks!

mposolda
mposolda approved these changes Mar 31, 2025
View reviewed changes
Copy link
Contributor
@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ahus1 @tnorimat Thanks!

@ahus1 ahus1 merged commit 85737f5 into keycloak:main Mar 31, 2025
75 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mposolda mposolda mposolda approved these changes

@tnorimat tnorimat tnorimat approved these changes

Assignees

@ahus1 ahus1

Labels
team/cloud-native team/core-clients team/core-iam
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

When calling the user info endpoint, the DPoP is not bound to the access token
3 participants
@ahus1 @tnorimat @mposolda
0