authlib icon indicating copy to clipboard operation
authlib copied to clipboard

Published 20 hours ago verified publisher icon lepture

DPoP sessions

Open agentydragon opened this issue 4 years ago • 5 comments

Is your feature request related to a problem? Please describe.

I've been trying to talk to Solid (http://solidproject.org) servers with Python. Unfortunately, currently Solid server only works with DPoP tokens.

Here's a few links about DPoP:

  • Draft RFC: https://tools.ietf.org/html/draft-fett-oauth-dpop-04
  • https://darutk.medium.com/illustrated-dpop-oauth-access-token-security-enhancement-801680d761ff
  • https://curity.io/resources/architect/oauth/dpop-overview/

No Python auth library that I found yet supports DPoP, so I had to do it mostly manually (see https://gitlab.com/agentydragon/solid-flask).

Describe the solution you'd like

Probably extend the OAuth2 session class so that it can authenticate itself via DPoP. It's might not be very difficult. Required changes:

  • When sending token request, generate a key pair (https://gitlab.com/agentydragon/solid-flask/-/blob/afa42465d4e1e7b9daeeef7d99109f230c39402b/solid_flask_main.py#L196)
  • Add the DPoP header to the token request; the content is a JWT signed by the generated key, and it also includes info about request time, request URL and method (so, in this case, the auth endpoint and POST): https://gitlab.com/agentydragon/solid-flask/-/blob/afa42465d4e1e7b9daeeef7d99109f230c39402b/solid_flask_main.py#L59
  • Then on further requests:
    • Also include the DPoP header for the request
    • And instead of Authentication: Bearer [access token], send the access token prefixed with Authentication: DPoP

Describe alternatives you've considered

  • Other libraries
  • Writing this myself when talking to the Solid server

agentydragon avatar Feb 09 '21 12:02 agentydragon

@agentydragon this is a draft spec and current draft is already expired.

This Internet-Draft will expire on 5 September 2020.

I would like to wait for a while to implement this feature.

lepture avatar Feb 09 '21 13:02 lepture

Here is a link to the current draft spec: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-08

The Solid ecosystem is heavily, heavily based on this and a reference Python implementation would be great to boost Python implementations against Solid.

No chance of picking this up again?

wwwald avatar May 06 '22 12:05 wwwald

I'm currently working on Mistune v3. I'll take my open source time into this feature after the release of Mistune v3.

lepture avatar May 07 '22 10:05 lepture

Latest draft: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-13

We wouldn't consider a draft spec in Authlib. There are so many standard specs we haven't implemented yet.

lepture avatar Jan 22 '23 03:01 lepture