solid-client-authn-js Remove Expiration from the DPoP token

Remove Expiration from the DPoP token

Open jaxoncreed opened this issue 4 years ago • 3 comments

My mistake when I originally wrote this. DPoP tokens don't have expiration dates (https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-4.1). This line should be removed (https://github.com/inrupt/solid-client-authn-js/blob/bd83305b6a1e72c3662c19c680c59143620e7d9e/packages/oidc-dpop-client-browser/src/dpop/dpop.ts#L122)

Oct 23 '20 14:10 jaxoncreed

Thanks Jackson - PR is here: https://github.com/inrupt/solid-client-authn-js/pull/476

Oct 25 '20 09:10 pmcb55

Actually, https://tools.ietf.org/html/rfc7519#section-4.1.4 registers exp as an optional 'interoperable' JWT claim. https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-4.1 being a subset of this RFC, I don't think the exp claim is actually incorrect on a DPoP header, just not mandatory. However, it seems that IdPs we use expect this claim to be present. I'll reach out to the maintainers, and update this ticket accordingly.

Nov 02 '20 14:11 NSeydoux

It is indeed a bug that the DPoP header is expected to have a exp claim. When this bug is fixed on the IdP, we can merge #476.

Nov 02 '20 15:11 NSeydoux

solid-client-authn-js solid-client-authn-js copied to clipboard

Remove Expiration from the DPoP token

solid-client-authn-js
solid-client-authn-js copied to clipboard