Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarifications on using sender-constraint tokens DPoP #225

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Clarifications on using sender-constraint tokens DPoP #225

Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d3215a3
RECOMMEND using sender-constraint tokens DPoP
AxelNennker Nov 8, 2024
e42f205
MAY use DPoP instead of RECOMMENDS DPoP
AxelNennker Nov 26, 2024
cc737d9
add Sender-Constrained Tokens to TOC
AxelNennker Nov 26, 2024
b5ef401
typo
AxelNennker Nov 26, 2024
5646d21
typo
AxelNennker Nov 26, 2024
9e4cf14
MUST not -> MUST NOT
AxelNennker Nov 27, 2024
42feaa4
Provider supports DPoP => Consumer MUST use DPoP
AxelNennker Nov 27, 2024
565d1ed
added table on expected provider behavior at API endpoint
AxelNennker Dec 12, 2024
00437fd
remove If the API Provider supports DPoP, the API Consumer MUST use D…
AxelNennker Dec 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions documentation/CAMARA-Security-Interoperability.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
* [Conventions](#conventions)
* [General Considerations](#general-considerations)
+ [Transport Security](#transport-security)
+ [Sender-Constrained Tokens](sender-constrained-tokens)
* [OIDC Authorization Code Flow](#oidc-authorization-code-flow)
+ [Cross-Site Request Forgery Protection](#cross-site-request-forgery-protection)
* [Client-Initiated Backchannel Authentication Flow](#client-initiated-backchannel-authentication-flow)
Expand Down Expand Up @@ -62,6 +63,12 @@ Unless otherwise noted, all the protocol parameter names and values are case sen
### Transport Security
All network connections MUST use TLS 1.2 or better.

### Sender-Constrained Tokens

[OAuth 2.0 Security Best Current Practice](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.2.1) and the [FAPI 2.0 Baseline Profile](https://openid.net/specs/fapi-2_0-baseline-01.html) both RECOMMEND that authorization and resource servers use mechanisms for sender-constraining access tokens. This document states that Demonstrating Proof of Possession (DPoP) [RFC9449](https://datatracker.ietf.org/doc/html/rfc9449) MAY be used by API Consumers, to prevent misuse of stolen and leaked access tokens. CAMARA authorization servers MUST not respond with an error if they do not support DPoP. DPoP allows authorization servers to issue tokens that are not sender-constrained even if a valid DPoP header is present in the authorization request. It is up to the API consumer to decide whether none-sender-constrained tokens meet their security requirements.
AxelNennker marked this conversation as resolved.
Show resolved Hide resolved
Support for DPoP MAY be expressed by the server metadata field `dpop_signing_alg_values_supported`. If the value of that field is the empty list then DPoP is not supported.
API consumers with high security demands that e.g. want to achieve EIDAS LOA high can be set to be required to always send DPoP requests. This requirement is expressed by the API consumer's metadata in the field `dpop_bound_access_tokens`. This requirement on the API consumer is determined at onboarding time.

## OIDC Authorization Code Flow

The OIDC Authorization Code Flow is defined in [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html)
Expand Down