Skip to content

feat: add DPoP support #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 28, 2025
Merged

feat: add DPoP support #16

merged 2 commits into from
Aug 28, 2025

Conversation

@kishore7snehil
Copy link
Contributor

@kishore7snehil kishore7snehil commented Aug 28, 2025

📋 Changes

This PR implements DPoP (RFC 9449) support for auth0-api-python, enabling sender-constrained OAuth 2.0 access tokens using cryptographic proof of possession for enhanced API security.

Note

DPoP is currently in Early Access. Contact Auth0 support to enable it for your tenant.

✨ Features

  • DPoP Protocol Implementation: Complete RFC 9449 compliant implementation with ES256 signature verification, JWT proof validation, and comprehensive claim checking
  • Dual Authentication Scheme Support: Seamless handling of both Bearer and DPoP authentication schemes in a single API
  • Unified Entry Point: New verify_request() method automatically detects and validates Bearer or DPoP schemes
  • Flexible Configuration Modes: Support for "Allowed Mode" (mixed Bearer/DPoP) and "Required Mode" (DPoP-only enforcement)
  • Comprehensive Validation: Full claim validation including htm, htu, ath, jti with timing checks
  • URL Normalization: RFC-compliant URL matching for DPoP htu claims with proper scheme and port handling

🔧 API Changes

  • Added verify_request() method to ApiClient for unified authentication scheme detection
  • Added verify_dpop_proof() method for direct DPoP proof verification
  • Extended ApiClientOptions with DPoP configuration parameters (dpop_enabled, dpop_required, dpop_iat_leeway, dpop_iat_offset)
  • New DPoP-specific error classes: InvalidDpopProofError, InvalidAuthSchemeError
  • Enhanced error handling with proper HTTP status codes and WWW-Authenticate headers

📚 Core Components

  • JWT Dual Support: Separate JsonWebToken handlers for RS256 (Bearer) and ES256 (DPoP) validation
  • Cryptographic Utilities: SHA-256 hashing, Base64URL encoding, JWK thumbprint calculation
  • URL Processing: DPoP-compliant URL normalization and comparison
  • Error Response System: HTTP-aware error hierarchy with OAuth error codes and WWW-Authenticate headers
  • Test Infrastructure: Comprehensive utilities for generating DPoP proofs and bound tokens

📖 Documentation

  • Updated README.md with comprehensive features overview and DPoP authentication section
  • Added detailed configuration examples for both "Allowed" and "Required" modes
  • Created EXAMPLES.md with authentication scheme examples

📎 References

🧪 Testing

  • This change adds test coverage

  • This change has been tested on the latest version of the platform/language or why not

Contributor Checklist

@kishore7snehil kishore7snehil requested a review from a team as a code owner August 28, 2025 11:23
@kishore7snehil kishore7snehil merged commit 031c70d into main Aug 28, 2025
8 checks passed
@kishore7snehil kishore7snehil deleted the feature/dpop-authentication branch August 28, 2025 11:43
This was referenced Aug 28, 2025
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gyaneshgouraw-okta gyaneshgouraw-okta gyaneshgouraw-okta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kishore7snehil @gyaneshgouraw-okta