solid-client-authn-js icon indicating copy to clipboard operation
solid-client-authn-js copied to clipboard

Published 20 hours ago verified publisher icon inrupt

Required `ath` claim is missing from DPoP header

Open NSeydoux opened this issue 1 year ago • 3 comments

Search terms you've used

dpop, ath

Impacted package

Which packages do you think might be impacted by the bug ?

  • [ ] solid-client-authn-browser
  • [ ] solid-client-authn-node
  • [X] solid-client-authn-core
  • [ ] oidc-client-ext
  • [ ] Other (please specify): ...

Bug description

To Reproduce

  1. Start the demo at /packages/browsser/examples/single/bundle
  2. Go to http://localhost:3113
  3. Log in your OpenID Provider (e.g. https://login.inrupt.com)
  4. Perform an authenticated request

Expected result

The last authenticated request should include both an Access Token in the Authorization header, and a JWT in the dpop header containing an ath claim, which is mandatory as per https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax.

Actual result

The dpop JWT desn't have an ath claim.

Environment

Please run

$ npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers

System:
    OS: Linux 6.2 Ubuntu 23.04 23.04 (Lunar Lobster)
    CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1270P
    Memory: 18.11 GB / 31.05 GB
    Container: Yes
    Shell: 5.9 - /usr/bin/zsh
  Binaries:
    Node: 18.17.0 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/node
    npm: 9.6.7 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/npm
  npmGlobalPackages:
    corepack: 0.18.0
    npm: 9.6.7

Additional information

The problem comes from the implementation of the DPoP signature here: https://github.com/inrupt/solid-client-authn-js/blob/3bad9251649e299a05982e27bc4a24afd59c4fd8/packages/core/src/authenticatedFetch/dpopUtils.ts#L57.

NSeydoux avatar Oct 13 '23 09:10 NSeydoux

Thanks for reporting this in https://github.com/inrupt/solid-client-authn-js/issues/3181#issuecomment-1760548522 @damooo! This will be fixed soon.

NSeydoux avatar Oct 13 '23 09:10 NSeydoux

Just a note on this for context: this is due to the fact that our library implemented an older draft version of DPoP. The specification obviously changed between that point in time and its current published status, so before fixing this one issue, we'll go over the latest spec, and check what other aspects of it are missing from our libraries, so that we bridge that gap in one go instead of fixing misalignments piecemeal.

NSeydoux avatar Oct 20 '23 12:10 NSeydoux

Hello,

If there is any chance for me to help with this, I'd be happy to put some time into making some changes.

zg009 avatar Jan 18 '24 17:01 zg009