Skip to content

Add DpopToken class

Ash McKenzierequested to merge
ameya-dpop-1-base into master

What does this MR do and why?

See the epic (Allow users to require demonstrated proof of po... (&14383)) for context, pre-work, and other related issues.

This MR is part 1 of:

  1. Add DpopToken class (!173071 - merged)
  2. New DpopTokenUser class (!173662 - merged)
  3. Parse and validate DPoP Tokens (!166206 - merged)

This MR is to provide logic that can:

  1. Validate that DPoP token (a signed JWT) is well formed according to the spec
    • E.g. each part of the token has the correct number of parts, the signing algorithm is supported, the timestamps are recent enough, that a valid key ID is present, etc etc
  2. Validate that a DPoP token was correctly signed with one of a user's valid and current signing keys according to the spec. Specifically:
    • the kid references a valid, current signing key for the provided user
    • the ath claim is a signature that corresponds to the private key referenced in kid

How to set up and validate locally

Currently, this MR only adds the DPoP token class, which will be used by the REST/GraphQL API. To see the planned usage, please see Add DPoP checks in GraphQL and API requests (!169013 - merged).

Edited by Ash McKenzie

Merge request reports