Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DPoP Connector] Verify JTI Uniqueness #23358

Open
VIHANGAGIT opened this issue Mar 4, 2025 · 1 comment
Open

[DPoP Connector] Verify JTI Uniqueness #23358

VIHANGAGIT opened this issue Mar 4, 2025 · 1 comment
Labels
Type/Improvement

Comments

@VIHANGAGIT
Copy link

VIHANGAGIT commented Mar 4, 2025
edited
Loading

Current Limitation

Description
When using DPoP for token binding, the DPoPHeaderValidator does not verify the uniqueness of JTI value of each request. This allows DPoP proofs to be replayed in case they are sent to the same endpoint.

Steps to reproduce

  1. Login to console and create an application
  2. Setup DPoP connector as mentioned in README
  3. Add the DPoP header in token request and get the access token.
  4. Start another flow and use the same DPoP header.

Suggested Improvement

Store the JTI values of DPoP headers for it's valid period in the context of target URI. DPoP proof with same URI and a JTI that's recently used should be rejected. The spec's recommendation can be found here.

Version

DPoP Connector Version - 1.0.12
@VIHANGAGIT
Copy link
Author

Note

DPoP replay attacks can be mitigated with DPoP proofs that has a short life-span (by verifying iat and exp claims). This is an additional security consideration.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type/Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VIHANGAGIT