Skip to content

New DpopTokenUser class

Ash McKenzierequested to merge
ameya-dpop-1-user into master

What does this MR do and why?

ℹ️ This MR needs Add DpopToken class (!173071 - merged) merged first.

See the epic (Allow users to require demonstrated proof of po... (&14383)) for context, pre-work, and other related issues.

This MR is part 2 of:

  1. Add DpopToken class (!173071 - merged)
  2. New DpopTokenUser class (!173662 - merged)
  3. Parse and validate DPoP Tokens (!166206 - merged)

This MR is to provide logic that can:

  1. Validate that DPoP token (a signed JWT) is well formed according to the spec
    • E.g. each part of the token has the correct number of parts, the signing algorithm is supported, the timestamps are recent enough, that a valid key ID is present, etc etc
  2. Validate that a DPoP token was correctly signed with one of a user's valid and current signing keys according to the spec. Specifically:
    • the kid references a valid, current signing key for the provided user
    • the ath claim is a signature that corresponds to the private key referenced in kid

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Ash McKenzie

Merge request reports