Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dpop payload claim invalid value #1247

Closed
sadukar opened this issue Dec 20, 2023 · 10 comments · Fixed by #1249
Closed

Dpop payload claim invalid value #1247

sadukar opened this issue Dec 20, 2023 · 10 comments · Fixed by #1249

Comments

@sadukar
Copy link

sadukar commented Dec 20, 2023
edited
Loading

Issue and Steps to Reproduce

It seems like there is a typo in the jwt.ts file where setting the claim

`export const generateJwtDemonstratingProofOfPossessionAsync = (jwk, method = 'POST', url: string, extrasClaims={}) => {

const claims = {
    // https://www.rfc-editor.org/rfc/rfc9449.html#name-concept
    jit: btoa(guid()),
    htm: method,
    htu: url,
    iat: Math.round(Date.now() / 1000),
    ...extrasClaims,
};
// @ts-ignore
return JWK.thumbprint(jwk).then(function(kid) {
    // @ts-ignore
    return JWT.sign(jwk, { /*kid: kid*/ }, claims).then(function(jwt) {
        // console.info('JWT:', jwt);
        return jwt;
    });
});

}`

According to spec the claim jit does not exist but it should be jti, this results in invalid jti claim result on all dpop enabled requests

Versions

Screenshots

Expected

Actual

Additional Details

  • Installed packages:
@guillaume-chervet
Copy link
Contributor

Hi @sadukar , thank you very much for this issue.

Which OIDC server are you using? I'am looking at one to test this killer feature properly.
I fix it as quicker as I can.

@sadukar
Copy link
Author

sadukar commented Dec 20, 2023

Hi thanks for the quick reply.
I am using Duende Identity server, maybe i could expose an instance for you to test against and share some creds in private. Not sure if the demo one from duende has this option. Let me know if that would help

Other than the claim name it seems to be working ok the jwt is created and signed properly, will need to test the refresh token behavior and compatibility with reference tokens but it looks very promising, thanks for all the hard work.

@guillaume-chervet guillaume-chervet mentioned this issue Dec 20, 2023
Merged
@guillaume-chervet
Copy link
Contributor

hi @sadukar , I fixed it in the latest version.

@guillaume-chervet
Copy link
Contributor

@sadukar , I'am waiting for your feedback if It require another fix !

@sadukar
Copy link
Author

sadukar commented Dec 20, 2023

Thank you so much, will follow up after testing

@guillaume-chervet
Copy link
Contributor

Did you succed @sadukar ?

@guillaume-chervet
Copy link
Contributor

Hi @sadukar , did you succed to use it?

@guillaume-chervet
Copy link
Contributor

Hi @sadukar we fixed everything with DPOp use. Do you still have some problem with it?

@guillaume-chervet
Copy link
Contributor

hi @sadukar , did it works?

@guillaume-chervet
Copy link
Contributor

hi @sadukar , I close the issue. It work well on my side. Feel free to reopen it if you need it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(oidc): DPOP type jit instead of jti AxaFrance/oidc-client
2 participants
@sadukar @guillaume-chervet