Skip to content
  • Amir's avatar
    Working DPoP feature built on top of Rodauth · 201d2556
    Amir authored and Tiago's avatar Tiago committed
    This is a working DPoP feature built on top of Rodauth. It is not yet
    ready for production use; however, it contains most of the elements of the
    DPoP spec and conforms with the requirements outlined in section 4.3:
    4.3. Checking DPoP Proofs
    To validate a DPoP proof, the receiving server MUST ensure that
    1. there is not more than one DPoP HTTP request header field,
    2. the DPoP HTTP request header field value is a single well-formed JWT,
    3. all required claims per Section 4.2 are contained in the JWT,
    4. the typ JOSE header parameter has the value dpop+jwt,
    5. the alg JOSE header parameter indicates a registered asymmetric digital signature algorithm [IANA.JOSE.ALGS], is not none, is supported by the application, and is acceptable per local policy,
    6. the JWT signature verifies with the public key contained in the jwk JOSE header parameter,
    7. the jwk JOSE header parameter does not contain a private key,
    8. the htm claim matches the HTTP method of the current r...