Search terms you've used
dpop, ath
Impacted package
Which packages do you think might be impacted by the bug ?
Bug description
To Reproduce
- Start the demo at /packages/browsser/examples/single/bundle
- Go to http://localhost:3113
- Log in your OpenID Provider (e.g. https://login.inrupt.com)
- Perform an authenticated request
Expected result
The last authenticated request should include both an Access Token in the Authorization header, and a JWT in the dpop header containing an ath claim, which is mandatory as per https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax.
Actual result
The dpop JWT desn't have an ath claim.
Environment
Please run
$ npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers
System:
OS: Linux 6.2 Ubuntu 23.04 23.04 (Lunar Lobster)
CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1270P
Memory: 18.11 GB / 31.05 GB
Container: Yes
Shell: 5.9 - /usr/bin/zsh
Binaries:
Node: 18.17.0 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/node
npm: 9.6.7 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/npm
npmGlobalPackages:
corepack: 0.18.0
npm: 9.6.7
Additional information
The problem comes from the implementation of the DPoP signature here:
.
Search terms you've used
dpop, ath
Impacted package
Which packages do you think might be impacted by the bug ?
Bug description
To Reproduce
Expected result
The last authenticated request should include both an Access Token in the
Authorizationheader, and a JWT in thedpopheader containing anathclaim, which is mandatory as per https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax.Actual result
The
dpopJWT desn't have anathclaim.Environment
Please run
Additional information
The problem comes from the implementation of the DPoP signature here:
solid-client-authn-js/packages/core/src/authenticatedFetch/dpopUtils.ts
Line 57 in 3bad925