feat: Demonstrating Proof of Posession (DPoP) (#315)

* feat: include token type in `#oidcc_token_access` record We'll need this for DPoP bound tokens, which use the `DPoP` type. * feat: DPoP * doc: fix autolinking of `Oidcc.Token.Access` Co-authored-by: Jonatan Männchen <[email protected]> * fixup! doc: fix autolinking of `Oidcc.Token.Access` * fixup! feat: DPoP * fixup! feat: DPoP * fixup! feat: DPoP * fixup! feat: DPoP --------- Co-authored-by: Jonatan Männchen <[email protected]>
erlef · Dec 23, 2023 · 4cbce04 · 4cbce04
1 parent eca89e9
commit 4cbce04
Show file tree

Hide file tree

Showing 16 changed files with 1,349 additions and 38 deletions.
diff --git a/README.md b/README.md
@@ -98,6 +98,7 @@ The refactoring for `v3` and the certification is funded as an
 * [Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662)
 * Logout
   * [RP-Initiated](https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
+* [Demonstrating Proof of Possession (DPoP)](https://www.rfc-editor.org/rfc/rfc9449)
 
 ## Setup
 

diff --git a/include/oidcc_client_registration.hrl b/include/oidcc_client_registration.hrl
@@ -67,6 +67,8 @@
     post_logout_redirect_uris = undefined :: [uri_string:uri_string()] | undefined,
     %% OAuth 2.0 Pushed Authorization Requests
     require_pushed_authorization_requests = false :: boolean(),
+    %% OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+    dpop_bound_access_tokens = false :: boolean(),
     %% Unknown Fields
     extra_fields = #{} :: #{binary() => term()}
 }).

diff --git a/include/oidcc_token.hrl b/include/oidcc_token.hrl
@@ -1,7 +1,11 @@
 -ifndef(OIDCC_TOKEN_HRL).
 
 -record(oidcc_token_id, {token :: binary(), claims :: oidcc_jwt_util:claims()}).
--record(oidcc_token_access, {token :: binary(), expires = undefined :: pos_integer() | undefined}).
+-record(oidcc_token_access, {
+    token :: binary(),
+    expires = undefined :: pos_integer() | undefined,
+    type = <<"Bearer">> :: binary()
+}).
 -record(oidcc_token_refresh, {token :: binary()}).
 -record(oidcc_token, {
     id :: oidcc_token:id() | none,

diff --git a/lib/oidcc/client_registration.ex b/lib/oidcc/client_registration.ex
@@ -81,6 +81,7 @@ defmodule Oidcc.ClientRegistration do
           request_uris: [:uri_string.uri_string()] | :undefined,
           post_logout_redirect_uris: [:uri_string.uri_string()] | :undefined,
           require_pushed_authorization_requests: boolean(),
+          dpop_bound_access_tokens: boolean(),
           extra_fields: %{String.t() => term()}
         }
 

diff --git a/lib/oidcc/token/access.ex b/lib/oidcc/token/access.ex
@@ -6,6 +6,8 @@ defmodule Oidcc.Token.Access do
   """
   @moduledoc since: "3.0.0"
 
+  alias Oidcc.ClientContext
+
   use Oidcc.RecordStruct,
     internal_name: :token,
     record_name: :oidcc_token_access,
@@ -16,6 +18,32 @@ defmodule Oidcc.Token.Access do
   @typedoc since: "3.0.0"
   @type t() :: %__MODULE__{
           token: String.t(),
-          expires: pos_integer() | :undefined
+          expires: pos_integer() | :undefined,
+          type: String.t()
         }
+
+  @doc """
+  Generate a map of authorization headers to use when using the given
+  `Oidcc.Token.Access` struct to access an API endpoint.
+  """
+  @doc since: "3.2.0"
+  @spec authorization_headers(
+          access_token :: t(),
+          method :: :get | :post,
+          endpoint :: String.t(),
+          client_context :: ClientContext.t()
+        ) :: %{String.t() => String.t()}
+  def authorization_headers(
+        access_token,
+        method,
+        endpoint,
+        client_context
+      ),
+      do:
+        :oidcc_token.authorization_headers(
+          struct_to_record(access_token),
+          method,
+          endpoint,
+          ClientContext.struct_to_record(client_context)
+        )
 end
diff --git a/src/oidcc_auth_util.erl b/src/oidcc_auth_util.erl
@@ -19,6 +19,8 @@
 -type error() :: no_supported_auth_method.
 
 -export([add_client_authentication/6]).
+-export([add_dpop_proof_header/5]).
+-export([add_authorization_header/6]).
 
 %% @private
 -spec add_client_authentication(
@@ -251,6 +253,109 @@ add_jwt_bearer_assertion(ClientAssertion, Body, Header, ClientContext) ->
         Header
     }.
 
+%% @private
+-spec add_dpop_proof_header(Header, Method, Endpoint, Opts, ClientContext) -> Header when
+    Header :: [oidcc_http_util:http_header()],
+    Method :: post | get,
+    Endpoint :: uri_string:uri_string(),
+    Opts :: #{nonce => binary()},
+    ClientContext :: oidcc_client_context:t().
+add_dpop_proof_header(Header, Method, Endpoint, Opts, ClientContext) ->
+    Claims =
+        case Opts of
+            #{nonce := Nonce} ->
+                #{<<"nonce">> => Nonce};
+            _ ->
+                #{}
+        end,
+    case dpop_proof(Method, Endpoint, Claims, ClientContext) of
+        {ok, SignedRequestObject} ->
+            [{"dpop", SignedRequestObject} | Header];
+        error ->
+            Header
+    end.
+
+%% @private
+-spec add_authorization_header(
+    AccessToken, AccessTokenType, Method, Endpoint, Opts, ClientContext
+) ->
+    Header
+when
+    AccessToken :: binary(),
+    AccessTokenType :: binary(),
+    Method :: post | get,
+    Endpoint :: uri_string:uri_string(),
+    Opts :: #{dpop_nonce => binary()},
+    ClientContext :: oidcc_client_context:t(),
+    Header :: [oidcc_http_util:http_header()].
+add_authorization_header(
+    AccessToken, AccessTokenType, Method, Endpoint, Opts, ClientContext
+) ->
+    maybe
+        true ?= string:casefold(<<"dpop">>) =:= string:casefold(AccessTokenType),
+        Claims0 =
+            case Opts of
+                #{dpop_nonce := Nonce} ->
+                    #{<<"nonce">> => Nonce};
+                _ ->
+                    #{}
+            end,
+        Claims = Claims0#{
+            <<"ath">> => base64:encode(crypto:hash(sha256, AccessToken), #{
+                mode => urlsafe, padding => false
+            })
+        },
+        {ok, SignedRequestObject} ?= dpop_proof(Method, Endpoint, Claims, ClientContext),
+        [
+            {"authorization", [AccessTokenType, <<" ">>, AccessToken]},
+            {"dpop", SignedRequestObject}
+        ]
+    else
+        _ ->
+            [oidcc_http_util:bearer_auth_header(AccessToken)]
+    end.
+
+-spec dpop_proof(Method, Endpoint, Claims, ClientContext) -> {ok, binary()} | error when
+    Method :: post | get,
+    Endpoint :: uri_string:uri_string(),
+    Claims :: map(),
+    ClientContext :: oidcc_client_context:t().
+dpop_proof(Method, Endpoint, Claims0, #oidcc_client_context{
+    client_jwks = #jose_jwk{} = ClientJwks,
+    provider_configuration = #oidcc_provider_configuration{
+        dpop_signing_alg_values_supported = [_ | _] = SigningAlgSupported
+    }
+}) ->
+    MaxClockSkew =
+        case application:get_env(oidcc, max_clock_skew) of
+            undefined -> 0;
+            {ok, ClockSkew} -> ClockSkew
+        end,
+    HtmClaim = string:uppercase(atom_to_binary(Method, utf8)),
+    Claims = Claims0#{
+        <<"jti">> => random_string(32),
+        <<"htm">> => HtmClaim,
+        <<"htu">> => iolist_to_binary(Endpoint),
+        <<"iat">> => os:system_time(seconds),
+        <<"exp">> => os:system_time(seconds) + 30,
+        <<"nbf">> => os:system_time(seconds) - MaxClockSkew
+    },
+    Jwt = jose_jwt:from(Claims),
+    {_, PublicJwk} = jose_jwk:to_public_map(ClientJwks),
+
+    case
+        oidcc_jwt_util:sign(Jwt, ClientJwks, SigningAlgSupported, #{
+            <<"typ">> => <<"dpop+jwt">>, <<"jwk">> => PublicJwk
+        })
+    of
+        {ok, SignedRequestObject} ->
+            {ok, SignedRequestObject};
+        {error, no_supported_alg_or_key} ->
+            error
+    end;
+dpop_proof(_Method, _Endpoint, _Claims, _ClientContext) ->
+    error.
+
 -spec random_string(Bytes :: pos_integer()) -> binary().
 random_string(Bytes) ->
     base64:encode(crypto:strong_rand_bytes(Bytes), #{mode => urlsafe, padding => false}).
diff --git a/src/oidcc_authorization.erl b/src/oidcc_authorization.erl
@@ -110,8 +110,9 @@ redirect_params(#oidcc_client_context{client_id = ClientId} = ClientContext, Opt
     QueryParams4 = oidcc_scope:query_append_scope(
         maps:get(scopes, Opts, [openid]), QueryParams3
     ),
-    QueryParams5 = attempt_request_object(QueryParams4, ClientContext),
-    attempt_par(QueryParams5, ClientContext, Opts).
+    QueryParams5 = maybe_append_dpop_jkt(QueryParams4, ClientContext),
+    QueryParams6 = attempt_request_object(QueryParams5, ClientContext),
+    attempt_par(QueryParams6, ClientContext, Opts).
 
 -spec append_code_challenge(PkceVerifier, QueryParams, ClientContext) ->
     oidcc_http_util:query_params()
@@ -164,6 +165,26 @@ maybe_append(_Key, undefined, QueryParams) ->
 maybe_append(Key, Value, QueryParams) ->
     [{Key, Value} | QueryParams].
 
+-spec maybe_append_dpop_jkt(QueryParams, ClientContext) ->
+    QueryParams
+when
+    ClientContext :: oidcc_client_context:t(),
+    QueryParams :: oidcc_http_util:query_params().
+maybe_append_dpop_jkt(
+    QueryParams,
+    #oidcc_client_context{
+        client_jwks = #jose_jwk{},
+        provider_configuration = #oidcc_provider_configuration{
+            dpop_signing_alg_values_supported = [_ | _]
+        }
+    } = ClientContext
+) ->
+    #oidcc_client_context{client_jwks = ClientJwks} = ClientContext,
+    Thumbprint = jose_jwk:thumbprint(ClientJwks),
+    [{"dpop_jkt", Thumbprint} | QueryParams];
+maybe_append_dpop_jkt(QueryParams, _ClientContext) ->
+    QueryParams.
+
 -spec attempt_request_object(QueryParams, ClientContext) -> QueryParams when
     QueryParams :: oidcc_http_util:query_params(),
     ClientContext :: oidcc_client_context:t().

diff --git a/src/oidcc_client_registration.erl b/src/oidcc_client_registration.erl
@@ -110,6 +110,8 @@
         post_logout_redirect_uris :: [uri_string:uri_string()] | undefined,
         %% OAuth 2.0 Pushed Authorization Requests
         require_pushed_authorization_requests :: boolean(),
+        %% OAuth 2.0 Demonstrating Proof of Possession (DPoP)
+        dpop_bound_access_tokens :: boolean(),
         %% Unknown Fields
         extra_fields :: #{binary() => term()}
     }.

diff --git a/src/oidcc_http_util.erl b/src/oidcc_http_util.erl
@@ -19,7 +19,8 @@
 -type http_header() :: {Field :: [byte()] | binary(), Value :: iodata()}.
 %% See {@link httpc:request/5}
 -type error() ::
-    {http_error, StatusCode :: pos_integer(), HttpBodyResult :: binary()}
+    {http_error, StatusCode :: pos_integer(), HttpBodyResult :: binary() | map()}
+    | {use_dpop_nonce, Nonce :: binary(), HttpBodyResult :: binary() | map()}
     | invalid_content_type
     | httpc_error().
 -type httpc_error() :: term().
@@ -147,7 +148,12 @@ extract_successful_response({{_HttpVersion, StatusCode, _HttpStatusName}, Header
             unknown ->
                 HttpBodyResult
         end,
-    {error, {http_error, StatusCode, Body}}.
+    case proplists:lookup("dpop-nonce", Headers) of
+        {"dpop-nonce", DpopNonce} ->
+            {error, {use_dpop_nonce, DpopNonce, Body}};
+        _ ->
+            {error, {http_error, StatusCode, Body}}
+    end.
 
 -spec fetch_content_type(Headers) -> json | jwt | unknown when Headers :: [http_header()].
 fetch_content_type(Headers) ->

diff --git a/src/oidcc_jwt_util.erl b/src/oidcc_jwt_util.erl
@@ -16,6 +16,7 @@
 -export([merge_jwks/2]).
 -export([refresh_jwks_fun/1]).
 -export([sign/3]).
+-export([sign/4]).
 -export([verify_claims/2]).
 -export([verify_signature/3]).
 
@@ -172,11 +173,20 @@ merge_jwks(Left, Right) ->
 %% @private
 -spec sign(Jwt :: #jose_jwt{}, Jwk :: jose_jwk:key(), SupportedAlgorithms :: [binary()]) ->
     {ok, binary()} | {error, no_supported_alg_or_key}.
-sign(_Jwt, _Jwk, []) ->
+sign(Jwt, Jwk, SupportedAlgorithms) ->
+    sign(Jwt, Jwk, SupportedAlgorithms, #{}).
+
+%% @private
+-spec sign(
+    Jwt :: #jose_jwt{}, Jwk :: jose_jwk:key(), SupportedAlgorithms :: [binary()], JwsFields :: map()
+) ->
+    {ok, binary()} | {error, no_supported_alg_or_key}.
+sign(_Jwt, _Jwk, [], _JwsFields) ->
     {error, no_supported_alg_or_key};
-sign(Jwt, Jwk, [Algorithm | RestAlgorithms]) ->
+sign(Jwt, Jwk, [Algorithm | RestAlgorithms], JwsFields0) ->
     maybe
-        #jose_jws{fields = JwsFields} = Jws0 ?= jose_jws:from_map(#{<<"alg">> => Algorithm}),
+        #jose_jws{fields = JwsFields} =
+            Jws0 ?= jose_jws:from_map(JwsFields0#{<<"alg">> => Algorithm}),
         SigningCallback = fun
             (#jose_jwk{fields = #{<<"use">> := <<"sig">>} = Fields} = Key) ->
                 %% add the kid field to the JWS signature if present
@@ -205,7 +215,7 @@ sign(Jwt, Jwk, [Algorithm | RestAlgorithms]) ->
         {ok, Token} ?= evaluate_for_all_keys(Jwk, SigningCallback),
         {ok, Token}
     else
-        _ -> sign(Jwt, Jwk, RestAlgorithms)
+        _ -> sign(Jwt, Jwk, RestAlgorithms, JwsFields0)
     end.
 
 %% @private