OPProfileConfiguration-DPoPValidation
- Henri Mikkonen
Options related to DPoP proof validation:
Name | Type | Default | Description |
|---|---|---|---|
requireDpopProof 4.2 | Boolean | false | A flag for requiring the DPoP proof JWT in the profile. If the proof exists in the request, it’s always validated. |
dpopProofClaimsValidator 4.2 | ClaimsValidator | Beans named DefaultDPoPProofClaimsValidator for PAR/token and DefaultDPoPWithAthProofClaimsValidator for others (involving access token validation) | The claims validation configuration used for validating the payload contents of the DPoP proof JWTs. The default values follows the RFC: the latter also verifying the access token hash claim. |
dpopProofSignatureValidationConfiguration 4.2 | BasicSignatureValidationConfiguration | Bean named DPoPSignatureValidationConfiguration | The bean used for defining the signature validation configuration used for validating DPoP proof signatures. |
dpopProofNonceGenerator 4.2 | Function< | Bean named DefaultOAuth2DPoPNonceGenerator | The bean used for defining the function used for generating nonce used within DPoP proofs. Null value ( If modified to a non-null value, the |
DPoP proof claims set validation
The idp.policy.messageLifetimeand idp.policy.clockSkew properties are exploited when validating the iat -claim.
Replay detection
The DPoP proofs must contain a unique identifier (jti -claim). The default validation (the dpopProofClaimsValidator option) implements this check via shibboleth.ReplayCachebean, which exploits the storage service that may be configured via idp.replayCache.StorageService -property (see StorageConfiguration | Reference ).
The lifetime for the replay cache record is taken from the exp -claim if it exists in the DPoP proof claims set. If not, the property idp.oauth2.dpop.replayCacheLifetime(defaults to 5 minutes) is exploited. The record key is taken from the jti claim.
In order to guard against memory exhaustion attacks, the jti values longer than 64 characters are hashed with SHA-256 before using them as the replay record key. The maximum record lifetime may also be set via idp.oauth2.dpop.maxReplayCacheLifetime-property, which defaults to 5 minutes.
Nonces
If the dpopProofNonceGenerator option has a value, the bean is used for generating nonce values to be used within DPoP proof JWTs. The default value points to an implementation that generates relying party -specific values that are valid for 5 minutes, customisable via idp.oauth2.dpop.nonceLifetime-property. The default implementation exploits the data sealer for encrypting the nonce value into an opaque string.
The default value for dpopProofClaimsValidator contains a claims validator that is activated whenever dpopProofNonceGenerator option has a value.
Note that any browser-based client applications using CORS may require the DPoP-Nonce to be included in the Access-Control-Expose-Headers response header list value. The page CORS handling describes some alternatives for handling CORS preflight requests. For instance the Spring CORS configuration supports p:exposedHeaders="DPoP-Nonce"as a way for satisfying that requirement.