DPoP support

We will be extending django-weboidc-provider to implement DPoP, as defined in the specification. This is driven by the need to access multiple potentially untrusted resources servers securely

DPoP mitigates the risk that a user loses a token, which would otherwise compromise their account in the entire ecosystem (everywhere they use the OIDC account)

Plan

The plan can be broken into the parties of the DPoP workflow

Client

Changes to Sib-Auth: framework/sib-auth#39 (closed)
~~Who is working on this?~~ this is possibly covered by solid-auth-client. We should check

Authorization Server

Changes to Django-WebIDOIDC-Provider: djangoldp-packages/django-webidoidc-provider#1 (closed)
Test for the DPoP Proof Replay in section 9.1 (time constrain proofs)

Resource Server

Middleware to perform authorization on requests using DPoP-bound Access Tokens.. returning 401 with a WWW-Authenticate header that informs the Client that a DPoP-bound Access Token is required
DPoP access token should be required by default in Solid. If it's present in the middleware, it should run on every request except when the user is anonymous
djangoldp-packages/djangoldp-account#70 (closed)

Both Servers

checking validity of DPoP poof against requirements
signature analysis (confirms ownership of public key, guarantees integrity of the request)

Misc

to guarantee message integrity we would also need to sign the whole request. But this isn't required to be spec-compliant. This is currently omitted from the estimations below

Initial Budget Request

Client: ?
Authorization server: see issue for breakdown. Total 2 days
Validating DPoP proof by spec & the public key/signature validation.. unit tests (1.5 days)
Resource server: supporting DPoP access tokens in ExternalUserBackend (2hrs)
Tests for DPoP proof relay (time constrain proofs) (2hrs)
Time spent researching/scoping/estimating: 7.5hrs

Total budget requested: 5 days

Edited Feb 14, 2021 by Calum Mackervoy