openidconnect-rs icon indicating copy to clipboard operation
openidconnect-rs copied to clipboard

Published 20 hours ago verified publisher icon ramosbugs

support dPoP protocol

Open damooo opened this issue 3 years ago • 4 comments

Hello, thanks for your work

It would be great, if library can support dPoP protocol. (OAuth 2.0 Demonstrating Proof-of-Possession )

dPoP is now fairly de-facto standard to bind access token to petticoat client and ensure, stolen access tokens doesn't cause any damage.

And solid protocol, which enables decentralised identity and collaboration over personal resources, it mandates to use dPoP for example.

damooo avatar Dec 06 '21 15:12 damooo

this seems like a reasonable enhancement to this crate, although the standard looks like it's still in a draft state: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-04. are there any major OpenID Connect providers using this yet?

ramosbugs avatar Dec 06 '21 20:12 ramosbugs

Yes, though in draft stage, it is fairly used in production. Auth0 supports it. And SOLID-OIDCmandates it, as it supports decentralised identity.

damooo avatar Dec 07 '21 11:12 damooo

@ramosbugs , _/_ you can see dPoP being listed in OAuth Working Group Specifications too.

damooo avatar Dec 21 '21 11:12 damooo

I put together an MVP draft for a bare minimum of DPoP functionality, feedback welcome.

Gearme avatar Apr 11 '23 15:04 Gearme