To genDpopToken, add ability to pass nonce and have it added to the tokenBody

[longtimedeveloper]

Description

The the genDpopToken function, add optional argument to method signature allowing the user to supply a nonce value. If supplied, add the nonce value to tokenBody map as the below code shows.

String genDpopToken(String endPointUrl, KeyPair rsaKeyPair, dynamic publicKeyJwk, String httpMethod, {String nonce = '',}) 
  var tokenBody = {
    "htu": endPointUrl,
    "htm": httpMethod,
    "jti": uniqueTokenId,
    "iat": (DateTime.now().millisecondsSinceEpoch / 1000).round(),
  };

  if (nonce.isNotEmpty) {
    tokenBody['nonce'] = nonce;
  }

Why

It is now common that servers will return a nonce to the caller of the method to get an access token. The client then has to repeat the request for a access token and supply the nonce value in the DPoP token.

Additional Context

For now, I have create my own version of the solid_auth package so I can have this feature.

If you implement this feature, you may want to consider adding the ability to pass multiple key, value so the user can have add or more additional values to the tokenBody.

Thank you very much for solid_auth. It is such a powerful and professionally written package. I learned a lot.

I only use two functions from the solid_auth package: genRsaKeyPair and genDpopToken in my Flutter app so I can support DPoP tokens.

Best to the team of experts that wrote this package.

Below is the DPoP token I created with two added key-values: nonce and deviceId.

eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7ImUiOiJBUUFCIiwia3R5IjoiUlNBIiwibiI6IjN6Y3dWQ2t2bzZOeWFzcDY1V29GS1paWS1Gd1hKUHAyQ0JIYkdWWGxaNVY0XzBtdWstZEpDYktKdzdnYmZNc3oyWDk1WllNd2ZUNkpIcmpCQnJ4X0pFUF9oQ1Z1WFRvVHNIQWE5YWhHZ2QzT0ZsZ0diZ2VjcDJMR0FEX1ZRQzZJNG14UHlLSnpHa2dsdW82eWFwYmdIQV9pMDQ4RVFoa1o4MkNEU1I4UVdHcXpPcGtXbFNQYWo0eHFXSzJwSHdHTGRjRU53Zm8yUXR1WGFSU2d6b0s0d1lmZ19vTFdQLTA1ZGJlR0Fnb1pacVBYZG5EazVNb1VqZEVOckdsVjBJZE1VN29YUUVUbTV4QXpUWUlTVTUtN29CMHNnYmdmeHFFcjVfWFhrdnEyT2xJQ1dnaU03OW1ZT1YxTjVIZkQ1T1dfcEpmbEtlak1iaXRJbXVEbm1nTWpZUSIsImFsZyI6IlJTMjU2In19.eyJodHUiOiJodHRwczovL2F6dXJlLmNvbSIsImh0bSI6IlBPU1QiLCJqdGkiOiJiYWM0NTc2Ny1lYTQyLTQ0OTMtYjVjMi0wMDU3Zjg1YzgwYTUiLCJpYXQiOjE3NTczNDkzMDMsIm5vbmNlIjoiZG8gbm90IHJlcGVhdCIsImRldmljZUlkIjoiZGV2aWNlIGlkIGFiYyJ9.sqfNjrUXLOTRdQ_EAuRJ3-Soif1j5KSN5zr3JYi_dufGKT4iIkfrb4pbEHuvpC3B0p7fwbdmJt9AMo71cAa6y6FuLIG3nisK-D1b8iAU3uk9q8EG3pFoSBBotVhWGmCgcALWI1NKSZWcppB-4v2DRfxuFQvENXlftcW8fUaEGu-tKx9nDoti8wk7G4uKKSh3ThxENXmatOfEDwitmIe1RJ-sqgJL7X_A1oSiQpTqdOdNqbzaRO6XKdhN6eht046BZhcVBakv9R8s9of0VsNFWE-DlAMqKZIVvgdh2nSxXOPSEjsC0moPejDzwd4TUwdlGELonfqQaN2igGl46prtHQ

[longtimedeveloper]

ath claim

The 'ath' claim is required also. This value is required when making calls to resources with the access token that is linked to the DPoP token, this linking is made by adding the 'ath' claim, is a Base64-encoded SHA-256 hash [SHS] of the DPoP-bound access token.

Outstanding resource, describing the DPoP workflow in detail.

Resource: Configure OAuth 2.0 DPoP Demonstrating Proof-of-Possession

Summary

need to be able to add nonce claim to tokenBody
need to be able to add ath claim to tokenBody

It would be very good if the jti can be passed in the genDpopToken function. This is important because users may have their own jti values they need to use.

It would also be nice to add user defined claims.

This is an example tokenBody for accessing a resource after receiving the access token. Notice, the nonce is not required here.

{
    "htm": "GET",
    "htu": "https://{yourOktaDomain}/api/v1/{api_endpoint}",
    "iat": 1516239022,
    "ath": "fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQEo",
    "jti": "123456788"
}

Thank you for your time and consideration.

[longtimedeveloper]

@anushkavidanage
I also discovered that Microsoft's c# token validation works better with an exp claim. So, I have added the exp claim to my token. I have not seen others using exp with DPoP tokens.

Maybe when the RFC is completed, they will specify if exp should be included.

[longtimedeveloper]

@anushkavidanage @gjwgit

After writing my Azure server that uses DPoP and the Flutter client, I have discovered that I wrote code to support the DPoP implementation that is specific to my application.

Feel free to close this issue since your DPoP server implementation and client code that uses solid_auth may not have the same requirements I have.

Thank you again for solid_auth because I learned so much from your dedicated and professional work.

My server and client follow the workflow described here: DPoP Info

[anushkavidanage]

@longtimedeveloper thanks for posting this issue and for using our package. Its great to hear that your find it useful. And thanks for the suggestions.

When we first developed this package we tailored it specifically to work with Solid OIDC (https://solidproject.org/TR/oidc-primer). However, we are currently looking into doing certain changes, including suggestions from others, to make it more general. I believe having an optional nonce would be a good addition. jti I believe it now created within the function itself.

I will create some issues around this and do some testing with our own apps to see whether these additions make sense. Thanks again for these suggestions.

[longtimedeveloper]

@anushkavidanage thank you for your kind words of encouragement. It took me a week to write the server code and client code. In the end, it is a really nice solution and increased security. I can use this in all of my future apps.

Best to you and thanks again!