angular-auth-oidc-client icon indicating copy to clipboard operation
angular-auth-oidc-client copied to clipboard

Published 20 hours ago verified publisher icon damienbod

[Question]: Support for DPoP from RFC 9449

Open jonathanantoine opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? Please describe. Is it planned to support the RFC 9449 now that its official :)

https://www.rfc-editor.org/rfc/rfc9449

Describe the solution you'd like Out of the box support via configuraiton of the RFC 9449.

Additional context Thanks a lot for your hard work.

jonathanantoine avatar Jan 23 '24 10:01 jonathanantoine

Hi @jonathanantoine thanks

At present this is not possible from a public client. You need to keep a secret for this. Maybe at some stage, the browsers support non exportable certificates, then this would be possible, but I believe this is not possible yet

Kind regards Damien

damienbod avatar Jan 24 '24 09:01 damienbod

Hello @damienbod ,

The goal of this RFC is to provide DPoP for public client and especially browsers.

Am I missing something?

jonathanantoine avatar Jan 24 '24 19:01 jonathanantoine

Hi @jonathanantoine To use DPoP you need a certificate with public/private. The private part or the secret is in the client. One way this could work in the future is when browsers support non exportable certificates. Then we could use DPoP

damienbod avatar Jan 25 '24 03:01 damienbod

First of all, thanks for answering me @damienbod .

Can't we use the Subtle crypto JavaScript api ?

The idea is to generate a private key for each authentication session.

The key would still be accessible if you can execute code in the same context but this is less probable and the tokens would not be usable by their own.

jonathanantoine avatar Jan 25 '24 06:01 jonathanantoine