Support DPoP in OIDC
DPoP is a way to provide security in Solid ecosystems (it protects against replay attacks by ensuring that a token can only be approved when sent from the application is was prescribed to - see issue for overview)
How to know DPoP should be used
- A client should use the value of the
token_type
parameter to determine whether the Authorization Server supports DPoP (spec). It should be used where possible - The Resource Server will respond
401
and specify in theWWW-Authenticate
header that a DPoP-bound access token is required. The Access Token is granted by the Authorization Server (the OIDC provider).. see flow
How to implement it
- The Client presents its Client Identifier and the associated Secret to the IdP and requests an Authorization Code (OIDC workflow)
- If granted, the Client presents the Authorization Code and a DPoP proof, to the Token Endpoint
- Constructing the DPoP proof.. useful resource, and another resource for top-level view
Misc
- OAuth and OIDC require the Client application to identify itself to the IdP and RS by presenting a client identifier (Client ID). Solid applications SHOULD use a WebID as their Client ID
- "it is RECOMMENDED to prefer TLS-based methods over DPoP if such methods are suitable for the scenario at hand"... never for us, as sib-core is a Single-Page Application?