Suggestions for DPoP related OP tests
Suggestions for DPoP related tests, for now without dpop-nonce
, for your consideration to adopt.
As per DPoP with Pushed Authorization Requests and DPoP in general
Happy flow
-
when dpop_jkt is provided at the PAR endpoint, the same public key that matches the thumbprint is used at the token endpoint
-
The OP should be tested that when DPoP is used at the PAR endpoint, the DPoP public key is used as the dpop_jkt value and the same public key that matches the thumbprint is used at the token endpoint.
-
The OP should be tested that when DPoP is used at the PAR endpoint and dpop_jkt is explicitly provided that the request does not error if dpop_jkt matches the DPoP public key.
-
The OP should be tested that it accepts iat values within "X" delta of current timestamp (past and future).
Negative tests
- Send a dpop_jkt to the PAR endpoint that does not match the key then used at the token endpoint
- Send a dpop proof to the PAR endpoint that does not match the key then used at the token endpoint
- when DPoP is used at the PAR endpoint and a mismatched dpop_jkt is explicitly provided that the PAR request is rejected.