fix: https://github.com/AxisCommunications/go-dpop/issues/9

parse.go

@@ -9,6 +9,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"math/big"
 	"net/url"
 	"strings"
@@ -89,7 +90,10 @@ func Parse(
 
 	// Check that `htm` and `htu` claims match the HTTP method and URL of the current request.
 	// This satisfies point 8 and 9 in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-4.3
-	if httpMethod != claims.Method || httpURL.String() != claims.URL {
+
+	// Addresses https://github.com/AxisCommunications/go-dpop/issues/9
+	httpUrlParsed := fmt.Sprintf("%s://%s%s", httpURL.Scheme, httpURL.Hostname(), httpURL.Path)
+	if httpMethod != claims.Method || httpUrlParsed != claims.URL {
 		return nil, errors.Join(ErrInvalidProof, ErrIncorrectHTTPTarget)
 	}
 

parse_test.go

@@ -243,6 +243,35 @@ func TestParse_IncorrectHtu(t *testing.T) {
 	}
 }
 
+// Test that an htu claim with query or fragments is properly parsed
+// and passes validation according to DPoP spec
+func TestParse_CorrectHttpURLWithQueryFragments(t *testing.T) {
+	// Arrange
+	httpUrl := url.URL{
+		Scheme: "https",
+		Host:   "server.example.com",
+		Path:   "/token",
+		Fragment: "#fragment",
+		RawQuery: "foo=bar",
+	}
+	duration := time.Duration(438000) * time.Hour
+	opts := dpop.ParseOptions{
+		Nonce:      "",
+		TimeWindow: &duration,
+	}
+
+	// Act
+	proof, err := dpop.Parse(validES256_proof, dpop.POST, &httpUrl, opts)
+
+	// Assert
+	if err != nil {
+		t.Errorf("wanted nil, got %e", err)
+	}
+	if proof == nil || proof.Valid != true {
+		t.Errorf("Expected token to be valid")
+	}
+}
+
 // Test that expired proof is rejected
 func TestParse_ExpiredProof(t *testing.T) {
 	// Arrange