Documentation
¶
Overview ¶
Package dpop implements Demonstrating Proof-of-Possession (DPoP) at the application layer (RFC 9449).
It provides:
- DPoP proof validation (Section 4.1, 4.2, 4.3)
- DPoP-bound access token creation (Section 7.1, cnf.jkt)
- DPoP proof verification for resource server introspection (Section 10.1)
- Server-provided nonce support (Section 8.1)
Index ¶
- Constants
- func CNFClaim(jkt string) map[string]any
- func ContextWithDPoP(ctx context.Context, proof *Proof) context.Context
- func JWKThumbprint(key jwk.Key) (string, error)
- func ValidateATH(proof *Proof, accessToken string) error
- func ValidateBoundToken(tokenCNF map[string]any, proof *Proof) error
- func VerifyPublicKey(key crypto.PublicKey) error
- type Plugin
- func (p *Plugin) Category() storm.PluginCategory
- func (p *Plugin) CleanupNonceCache()
- func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
- func (p *Plugin) GenerateNonce() string
- func (p *Plugin) Middleware(next http.Handler) http.Handler
- func (p *Plugin) Name() string
- func (p *Plugin) Register(r chi.Router)
- func (p *Plugin) Requires() []string
- func (p *Plugin) Stop()
- func (p *Plugin) ValidateNonce(nonce string) bool
- func (p *Plugin) WriteNonceHeader(w http.ResponseWriter)
- type Proof
Constants ¶
const ( // Header is the HTTP header name for the DPoP proof. Header = "DPoP" // AccessTokenType is the token_type for DPoP-bound access tokens. AccessTokenType = "DPoP" // MaxProofAge is the maximum age of a DPoP proof (default 5 minutes per RFC 9449 §7.1). MaxProofAge = 5 * time.Minute )
const NonceHeader = "DPoP-Nonce"
NonceHeader is the HTTP header name for the DPoP nonce.
const NonceLifetime = 5 * time.Minute
NonceLifetime is the lifetime of a server-provided nonce (RFC 9449 §8.1).
Variables ¶
This section is empty.
Functions ¶
func ContextWithDPoP ¶
ContextWithDPoP stores the DPoP proof in the request context. Uses shared context key for cross-package access.
func JWKThumbprint ¶
JWKThumbprint computes the JWK Thumbprint (RFC 7638) of a key.
func ValidateATH ¶
ValidateATH validates the ath (access token hash) claim in a DPoP proof against the actual access token presented in the request (RFC 9449 §7.1). The ath claim MUST be present and MUST equal base64url(SHA-256(access_token)).
func ValidateBoundToken ¶
ValidateBoundToken verifies that an access token was issued with the same DPoP key as the current request (RFC 9449 §10.1).
func VerifyPublicKey ¶
VerifyPublicKey validates that the key type and algorithm are acceptable.
Types ¶
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin implements DPoP proof validation and token binding.
func (*Plugin) Category ¶
func (p *Plugin) Category() storm.PluginCategory
Category returns CategoryStandard — DPoP is optional.
func (*Plugin) CleanupNonceCache ¶
func (p *Plugin) CleanupNonceCache()
CleanupNonceCache removes expired nonces from the cache.
func (*Plugin) Contribute ¶
func (p *Plugin) Contribute(ctx context.Context, cfg *protocol.DiscoveryConfiguration)
Contribute returns discovery fields for DPoP.
func (*Plugin) GenerateNonce ¶
GenerateNonce creates a new server-provided nonce (RFC 9449 §8.1). The nonce is cached and can be validated later.
func (*Plugin) Middleware ¶
Middleware parses the DPoP header from the request and stores the proof in the request context. If no DPoP header is present, the context value is nil. If a DPoP header is present but invalid, the request is rejected with HTTP 400 (RFC 9449 §4.3).
func (*Plugin) Requires ¶
Requires returns no storage dependencies (DPoP is stateless except nonce cache).
func (*Plugin) ValidateNonce ¶
ValidateNonce validates a server-provided nonce (RFC 9449 §8.1). Returns true if the nonce is valid and not expired. The nonce is consumed (deleted) after validation.
func (*Plugin) WriteNonceHeader ¶
func (p *Plugin) WriteNonceHeader(w http.ResponseWriter)
WriteNonceHeader writes the DPoP-Nonce header to the response.
type Proof ¶
type Proof struct {
JKT string // JWK thumbprint (SHA-256 of JWK)
HTM string // HTTP method
HTU string // HTTP URI
ATH string // access token hash (base64url(SHA-256(access_token)))
IssuedAt time.Time // iat claim
UniqueID string // jti claim
PublicKey interface{} // The public key from the proof (crypto.PublicKey)
}
Proof holds the parsed DPoP proof from a request.
func DPoPFromContext ¶
DPoPFromContext retrieves the DPoP proof from the context as *Proof. Returns nil if no DPoP proof was presented. For cross-package access, use shared.DPoPFromContext() which returns the shared.DPoPProof interface.
func ParseProof ¶
ParseProof parses and validates a DPoP proof JWT (RFC 9449 §4.3).
func (*Proof) AccessTokenHash ¶
AccessTokenHash returns the ath claim from the DPoP proof. Implements shared.DPoPProof interface.
func (*Proof) JWKThumbprint ¶
JWKThumbprint returns the JWK thumbprint (cnf.jkt value). Implements shared.DPoPProof interface.