DPoP support (#52)

Author: ikawalec

README.md

@@ -126,7 +126,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --scopes openid,email,offline_access \
   --tls-cert https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/cert.pem \
   --tls-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.pem \
-  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
+  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json \
   --encryption-key https://oauth2c.us.authz.cloudentity.io/oauth2c/demo/.well-known/jwks.json \
   --request-object \
   --pkce \

cmd/oauth2.go

@@ -71,6 +71,7 @@ func NewOAuth2Cmd() (cmd *OAuth2Cmd) {
 	cmd.PersistentFlags().StringVar(&cconfig.TLSRootCA, "tls-root-ca", "", "path to tls root ca pem file")
 	cmd.PersistentFlags().BoolVar(&cconfig.Insecure, "insecure", false, "allow insecure connections")
 	cmd.PersistentFlags().BoolVarP(&silent, "silent", "s", false, "silent mode")
+	cmd.PersistentFlags().BoolVar(&cconfig.DPoP, "dpop", false, "use DPoP")
 
 	return cmd
 }

cmd/oauth2_test.go

@@ -17,7 +17,7 @@ const (
 
 	TLSCertURL    = "https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/cert.pem"
 	TLSKeyURL     = "https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.pem"
-	SigningKeyURL = "https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json"
+	SigningKeyURL = "https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json"
 )
 
 type CommandTestCase struct {

data/ps/key.json

@@ -0,0 +1,18 @@
+{
+    "keys": [
+        {
+            "p": "_31C2N6keDMiqvs3eKZvKEAagzSm6aVLdZ_RwHYPGV_DoM9e4klZfqMdsHKvEuMYUsvS7oEsAy0OpMX81fyg95VkVzhM5OrriTiVsB2IZD85Trtkl8UAxR1whOGpWwPJIgiQ0dytUH3jT20TwX46Zd_TNuZiMvIMON2dDWHoXBU",
+            "kty": "RSA",
+            "q": "lqvkl1R_E0BTl-YoQPFts3JT4k4Xv2PC9-IvTt1LQM6chmJA_AG8zIki2dzbU-bCrHynUe-oJFvKO0M2mGtmXoCctqlIvrkK5qEmynjzAV4Rhf4jD9e3lAF-dsN7YlapS0hjLtVdPj14XjoPBkeur_eUoIK5WdmK_KeZ7FswvkM",
+            "d": "TggdN4xl32oJJN1d8kHz7wZFvsLNau2tUsW_rKUw5pnGsXbPN8v0G4oDW67YwjvKES7wt6yY4wivDKFy58Y6pcrWE91jWVKyDMEI5h0dLL-tnggEYMCCd4NCBQ0pAcXE0RCl_7X4KEV5ABJtvyGprk1nJhFyxMgDlCzjwd7wdoQOmEceBfoBRhFnJPrjklOxpFeGY4cwny6XYf49kKWB5UB75CJn1ZpYHDsIWrhg1eE64tEJeXkePO0gZw_L5WAY15e8Mh7o7n9563wAEnNaP6PWZ2B4O-dGe7Sey6XFlKkGYDzoZaDCXuABtjA5_MMYjgWcfc2v9bC4tXlUdswO6Q",
+            "e": "AQAB",
+            "use": "sig",
+            "kid": "rQUy3LYhOceyA3AcZbho4vnXIfaJjgVo_iPEwffvQ8M",
+            "qi": "uN1F1YD55RohP8fu9Ut2JiaUkefrNbPqOr50sleWPZU-h70kvJr5B6hy7Ekk1-FPyJ7AU3b4qBPfUyoQ0--HokfssOTKXU8ZEYV47u507IMmCr6-NsoSAjQIrUUw01dM3BtwxufX-VWda1dbtVcDqqZ5DPPXabvPqh6QVfdhVSc",
+            "dp": "PUVoE6SJYv44cTLgIcIgZFHDSfYFlYD7sNDMN9DYXCh4PQeeZLxchx9NTnSigfAOdETHaEV4LabPnTqSISt92wJr1vL8leW06Oq2E09x10DGWJheTnuDbMJbqrKHr_kfclcFjB7VPbmDGxg4pa3FCYt9Fux3Xmpn_fc_4-a4F-U",
+            "alg": "PS256",
+            "dq": "P2Z7XPZQNpCV3FAb1iABMkZEZ_DGa2GWM-p4T64ssUt_b8i-YYx1nneCM7yMigSLHDujyIWY8huxwDgrK_3daJyj1PTsyFxi6uMayI4WaxfjNcfXhx4VgHEUfvMI4ztmJ2iBW76qartBAB1cHx9gsWjzoIsBZX51zpTT3zIME7M",
+            "n": "ll7x-VAQlsnf4Td5xKsKGgQtDUZj5uG4Fh-mDODe5n6iz_a7Of4WWkUMWacx4JWtbnjzJ8MfWVMcYXgBky1XQB9IcQ7M7otT60cULLKqXAlhxX6AWSlTwfyvNeXOFc4kjzZwU6yvfv4HpPlhzOob3cImjSx4hAWSsDC3igzzHdODFrt3nW8KApQObqQpMFcSuQLu3SshrC9GLnRYs7gxcs9qvfXcgHkPCmcCgbV4VjwbTtw3OyPeHMlJ0AoHt_ZXS6gIiwzUKlCp6MKn0OIH8XMSp4foYYNlSPW7OE0iLca8AJew9DsjtjhATbO-pldTpmNpYqpdrS1v0G3Tzxevfw"
+        }
+    ]
+}

data/ps/public.json

@@ -0,0 +1,12 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "e": "AQAB",
+      "use": "sig",
+      "kid": "rQUy3LYhOceyA3AcZbho4vnXIfaJjgVo_iPEwffvQ8M",
+      "alg": "PS256",
+      "n": "ll7x-VAQlsnf4Td5xKsKGgQtDUZj5uG4Fh-mDODe5n6iz_a7Of4WWkUMWacx4JWtbnjzJ8MfWVMcYXgBky1XQB9IcQ7M7otT60cULLKqXAlhxX6AWSlTwfyvNeXOFc4kjzZwU6yvfv4HpPlhzOob3cImjSx4hAWSsDC3igzzHdODFrt3nW8KApQObqQpMFcSuQLu3SshrC9GLnRYs7gxcs9qvfXcgHkPCmcCgbV4VjwbTtw3OyPeHMlJ0AoHt_ZXS6gIiwzUKlCp6MKn0OIH8XMSp4foYYNlSPW7OE0iLca8AJew9DsjtjhATbO-pldTpmNpYqpdrS1v0G3Tzxevfw"
+    }
+  ]
+}

data/key.json data/rsa/key.jsondata/key.json renamed to data/rsa/key.json

@@ -199,7 +199,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --grant-type urn:ietf:params:oauth:grant-type:jwt-bearer \
   --auth-method client_secret_basic \
   --scopes email \
-  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
+  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json \
   --assertion '{"sub":"[email protected]"}'
 ```
 </details>
@@ -337,7 +337,7 @@ JWT methods using a client secret, as the private key is never shared with the O
 ``` sh
 oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --client-id 582af0afb0d74554aa7af47849edb222 \
-  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
+  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json \
   --grant-type client_credentials \
   --auth-method private_key_jwt \
   --scopes introspect_tokens,revoke_tokens
@@ -483,7 +483,7 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
   --grant-type authorization_code \
   --auth-method client_secret_post \
   --scopes openid,email,offline_access \
-  --encryption-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json
+  --encryption-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json
 ```
 </details>
 
@@ -511,3 +511,26 @@ oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
 </details>
 
 [Learn more about PAR](https://cloudentity.com/developers/basics/oauth-grant-types/pushed-authorization-requests/)
+
+### DPoP
+
+DPoP, or Demonstration of Proof of Possession, is an extension that describes a technique to cryptographically bind access
+tokens to a particular client when they are issued. This is one of many attempts at improving the security of Bearer Tokens
+by requiring the application using the token to authenticate itself.
+
+<details>
+<summary>Show example</summary>
+
+``` sh
+oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
+  --client-id cauktionbud6q8ftlqq0 \
+  --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
+  --response-types code \
+  --response-mode query \
+  --grant-type authorization_code \
+  --auth-method client_secret_basic \
+  --scopes openid,email,offline_access \
+  --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/ps/key.json \
+  --dpop
+```
+</details>

data/public.json data/rsa/public.jsondata/public.json renamed to data/rsa/public.json

@@ -5,6 +5,7 @@ go 1.19
 require (
 	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/golang-jwt/jwt/v4 v4.4.3
+	github.com/google/uuid v1.3.0
 	github.com/grantae/certinfo v0.0.0-20170412194111-59d56a35515b
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/imdario/mergo v0.3.13
@@ -23,7 +24,6 @@ require (
 	atomicgo.dev/keyboard v0.2.8 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.0 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect

docs/examples.md

@@ -0,0 +1,111 @@
+package oauth2
+
+import (
+	"crypto"
+	"encoding/base64"
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/go-jose/go-jose/v3"
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+)
+
+const (
+	DPoPHeaderName = "DPoP"
+	DPoPHeaderType = "dpop+jwt"
+)
+
+type DPoPClaims struct {
+	Htm      string `json:"htm"`
+	Htu      string `json:"htu"`
+	Jti      string `json:"jti"`
+	IssuedAt int64  `json:"iat"`
+}
+
+func DPoPSignRequest(signingKey string, hc *http.Client, r *http.Request) error {
+	var (
+		key       jose.JSONWebKey
+		proof     string
+		signer    jose.Signer
+		bytes     []byte
+		signature *jose.JSONWebSignature
+		err       error
+	)
+
+	if key, err = ReadKey(SigningKey, signingKey, hc); err != nil {
+		return errors.Wrapf(err, "failed to read signing key from %s", signingKey)
+	}
+
+	if key.Algorithm == "" {
+		return errors.New("signing key algorithm must be set")
+	}
+
+	if key.IsPublic() {
+		return errors.New("signing key must be private")
+	}
+
+	if !key.Valid() {
+		return errors.New("signing key is not valid")
+	}
+
+	sig := jose.SigningKey{
+		Algorithm: jose.SignatureAlgorithm(key.Algorithm),
+		Key:       key.Key,
+	}
+
+	opts := &jose.SignerOptions{
+		ExtraHeaders: map[jose.HeaderKey]interface{}{
+			jose.HeaderType: DPoPHeaderType,
+		},
+		EmbedJWK: true,
+	}
+
+	if signer, err = jose.NewSigner(sig, opts); err != nil {
+		return errors.Wrapf(err, "failed to create signer")
+	}
+
+	claims := DPoPClaims{
+		Htm:      r.Method,
+		Htu:      r.URL.String(),
+		Jti:      uuid.New().String(),
+		IssuedAt: time.Now().Unix(),
+	}
+
+	if bytes, err = json.Marshal(claims); err != nil {
+		return err
+	}
+
+	if signature, err = signer.Sign(bytes); err != nil {
+		return err
+	}
+
+	if proof, err = signature.CompactSerialize(); err != nil {
+		return err
+	}
+
+	r.Header.Set(DPoPHeaderName, proof)
+
+	return nil
+}
+
+func DPoPThumbprint(signingKey string, hc *http.Client) (string, error) {
+	var (
+		key        jose.JSONWebKey
+		thumbprint []byte
+		err        error
+	)
+
+	if key, err = ReadKey(SigningKey, signingKey, hc); err != nil {
+		return "", errors.Wrapf(err, "failed to read signing key from %s", signingKey)
+	}
+
+	public := key.Public()
+
+	if thumbprint, err = public.Thumbprint(crypto.SHA256); err != nil {
+		return "", err
+	}
+
+	return base64.RawURLEncoding.EncodeToString(thumbprint), nil
+}