Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ DPoP Middleware extensions #118

Merged
merged 9 commits into from
Dec 19, 2022

Conversation

dmihalcik-virtru
Copy link
Member

@dmihalcik-virtru dmihalcik-virtru commented Dec 2, 2022

  • Register dpop with the AccessToken by adding a DPoP to the request.
  • Add DPoP headers to the OIDC middleware
  • Unfortunately since we have odd parameters on our public keys with TDF3, we can't use the existing signing keys and have to generate new ones for those. NanoTDF works with the existing keys, however
  • Adds --dpop parameter to cli to optionally enable it (for now)
  • Builds on 🎨 Refactor auth middleware as function #117, so review that first

- Unify on a middleware method, `withCreds`
- Previously, the OIDC middleware only could return one value, Authorization header, which means we can't also set the DPoP header
- The appID middleware updates HttpRequest in place, but that isn't best practice; instead, return a copy-and-modified version
- Related fixes to use the middeware where needed
- This pre-work simplifies adding DPoP headers in the middleware
- Register dpop with the AccessToken by adding a DPoP to the request.
- Add DPoP headers to the OIDC middleware
- Unfortunately since we have odd parameters on our public keys with TDF3, we can't use the existing signing keys and have to generate new ones for those. NanoTDF works with the existing keys, however

Be more strict

add 'ath' claim

Cleanups and assertions

- Adds ability to introspect auth providers
- Adds spy on the cli auth provider
- Uses spy to make sure dpop token is present
- Adds `--dpop` parameter to cli tool to enforce DPoP

fixup
pflynn-virtru
pflynn-virtru previously approved these changes Dec 16, 2022
dmihalcik-virtru and others added 3 commits December 16, 2022 15:22
- Unify on a middleware method, `withCreds`
- Previously, the OIDC middleware only could return one value, Authorization header, which means we can't also set the DPoP header
- The appID middleware updates HttpRequest in place, but that isn't best practice; instead, return a copy-and-modified version
- Related fixes to use the middeware where needed
- This pre-work simplifies adding DPoP headers in the middleware
- Register dpop with the AccessToken by adding a DPoP to the request.
- Add DPoP headers to the OIDC middleware
- Unfortunately since we have odd parameters on our public keys with TDF3, we can't use the existing signing keys and have to generate new ones for those. NanoTDF works with the existing keys, however

Be more strict

add 'ath' claim

Cleanups and assertions

- Adds ability to introspect auth providers
- Adds spy on the cli auth provider
- Uses spy to make sure dpop token is present
- Adds `--dpop` parameter to cli tool to enforce DPoP

fixup
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 3 Code Smells

No Coverage information No Coverage information
0.1% 0.1% Duplication

@dmihalcik-virtru dmihalcik-virtru merged commit 9a5cee1 into opentdf:main Dec 19, 2022
@dmihalcik-virtru dmihalcik-virtru deleted the feature/4-dpop branch December 19, 2022 14:57
dmihalcik-virtru added a commit to opentdf/spec that referenced this pull request Jan 4, 2023
### MINOR Update: Explicitly supporting [IETF DPoP Draft Proposal](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)

* This proposal aligns our Proof of Possession of the access token with the current IETF DPoP draft proposal. This includes:
   * Deprecating storing the entire key in the `tdf_claims.client_public_signing_key` subclaim
   * Store a SHA-256 hash of the key in the `cnf.jkt` field, per the current draft proposal
   * Submit a DPoP in the `DPoP` header, which will include the complete key and request identifying information
* Not included:
  * To get complete support for the missing functionality we may desire to add a body hash to the DPoP claims list, which will provides an additional check for partial message integrity.


A reference implementation of this change is now included with opentdf/backend and opentdf/client-web. If accepted we will port this to the remaining opentdf/client-*.


#### Reference Implementation Details

##### Client Implementation

For the client, we use [an existing DPoP implementation](https://www.npmjs.com/package/dpop) to generate proofs. To use, we added a parameter (dpopEnabled) to the clients, and if present make this required.

Implementation: opentdf/web-sdk#118

##### Identity Provider Implementation (Access Token Generation)

Our reference IdP, Keycloak, provides a java plugin environment for adding claims to access tokens. Our current reference implementation extended our existing plugin, which adds the `tdf_claims` claim, to include the `cnf.jkt` claim when there is a DPoP header in the code exchange.

Reference: https://github.com/opentdf/backend/blob/9603538287e23240c6d40ea596cf42f8b26bfcc4/containers/keycloak-protocol-mapper/custom-mapper/src/main/java/com/virtru/keycloak/TdfClaimsMapper.java#L292

##### Access Point Validation (KAS)

KAS currently uses application level validation of the OIDC header. We extended this to include the DPoP check iff the access token includes the `jkt` claim.

https://github.com/opentdf/backend/blob/9603538287e23240c6d40ea596cf42f8b26bfcc4/containers/kas/kas_core/tdf3_kas_core/dpop.py#L55


Co-authored-by: Ben Leggett <854255+bleggett@users.noreply.github.com>
Co-authored-by: b-long <b-long@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants