DPoP support
We will be extending django-weboidc-provider to implement DPoP, as defined in the specification. This is driven by the need to access multiple potentially untrusted resources servers securely
DPoP mitigates the risk that a user loses a token, which would otherwise compromise their account in the entire ecosystem (everywhere they use the OIDC account)
Related links
- DPoP spec: https://tools.ietf.org/html/draft-fett-oauth-dpop-04
- Solid Authentication panel: https://github.com/solid/authentication-panel/
- Solid-oidc spec: https://solid.github.io/authentication-panel/solid-oidc/
- SOlid-oidc primer: https://solid.github.io/authentication-panel/solid-oidc-primer/
- OIDC example workflow (sans DPoP): https://github.com/solid/webid-oidc-spec/blob/master/example-workflow.md
Plan
The plan can be broken into the parties of the DPoP workflow
Client
- Changes to Sib-Auth: framework/sib-auth#39 (closed)
-
Who is working on this?this is possibly covered by solid-auth-client. We should check
Authorization Server
- Changes to Django-WebIDOIDC-Provider: djangoldp-packages/django-webidoidc-provider#1 (closed)
- Test for the DPoP Proof Replay in section 9.1 (time constrain proofs)
Resource Server
- Middleware to perform authorization on requests using DPoP-bound Access Tokens.. returning
401
with aWWW-Authenticate
header that informs the Client that a DPoP-bound Access Token is required - DPoP access token should be required by default in Solid. If it's present in the middleware, it should run on every request except when the user is anonymous
- djangoldp-packages/djangoldp-account#70 (closed)
Both Servers
- checking validity of DPoP poof against requirements
- signature analysis (confirms ownership of public key, guarantees integrity of the request)
Misc
- to guarantee message integrity we would also need to sign the whole request. But this isn't required to be spec-compliant. This is currently omitted from the estimations below
Initial Budget Request
- Client: ?
- Authorization server: see issue for breakdown. Total 2 days
- Validating DPoP proof by spec & the public key/signature validation.. unit tests (1.5 days)
- Resource server: supporting DPoP access tokens in
ExternalUserBackend
(2hrs) - Tests for DPoP proof relay (time constrain proofs) (2hrs)
- Time spent researching/scoping/estimating: 7.5hrs
Total budget requested: 5 days