OPProfileConfiguration-DPoPValidation
Options related to DPoP proof validation:
Name | Type | Default | Description |
---|---|---|---|
requireDpopProof 4.2 | Boolean | false | A flag for requiring the DPoP proof JWT in the profile. If the proof exists in the request, it’s always validated. |
dpopProofClaimsValidator 4.2 | ClaimsValidator | Beans named DefaultDPoPProofClaimsValidator for PAR/token and DefaultDPoPWithAthProofClaimsValidator for others (involving access token validation) | The claims validation configuration used for validating the payload contents of the DPoP proof JWTs. The default values follows the RFC: the latter also verifying the access token hash claim. |
dpopProofSignatureValidationConfiguration 4.2 | BasicSignatureValidationConfiguration | Bean named DPoPSignatureValidationConfiguration | The bean used for defining the signature validation configuration used for validating DPoP proof signatures. |
dpopProofNonceGenerator 4.2 | Function< | Bean named DefaultOAuth2DPoPNonceGenerator | The bean used for defining the function used for generating nonce used within DPoP proofs. Null value ( If modified to a non-null value, the |
DPoP proof claims set validation
The idp.policy.messageLifetime
and idp.policy.clockSkew
properties are exploited when validating the iat
-claim.
Replay detection
The DPoP proofs must contain a unique identifier (jti
-claim). The default validation (the dpopProofClaimsValidator
option) implements this check via shibboleth.ReplayCache
bean, which exploits the storage service that may be configured via idp.replayCache.StorageService
-property (see https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199509576/StorageConfiguration#Reference ).
The lifetime for the replay cache record is taken from the exp
-claim if it exists in the DPoP proof claims set. If not, the property idp.oauth2.dpop.replayCacheLifetime
(defaults to 5 minutes) is exploited. The record key is taken from the jti
claim.
In order to guard against memory exhaustion attacks, the jti
values longer than 64 characters are hashed with SHA-256 before using them as the replay record key. The maximum record lifetime may also be set via idp.oauth2.dpop.maxReplayCacheLifetime
-property, which defaults to 5 minutes.
Nonces
If the dpopProofNonceGenerator
option has a value, the bean is used for generating nonce values to be used within DPoP proof JWTs. The default value points to an implementation that generates relying party -specific values that are valid for 5 minutes, customisable via idp.oauth2.dpop.nonceLifetime
-property. The default implementation exploits the data sealer for encrypting the nonce value into an opaque string.
The default value for dpopProofClaimsValidator
contains a claims validator that is activated whenever dpopProofNonceGenerator
option has a value.
Note that any browser-based client applications using CORS may require the DPoP-Nonce
to be included in the Access-Control-Expose-Headers
response header list value. The page CORS handling describes some alternatives for handling CORS preflight requests. For instance the Spring CORS configuration supports p:exposedHeaders="DPoP-Nonce"
as a way for satisfying that requirement.
Â