You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Policy API calls (both gRPC and HTTP) receive "Unauthorised" error response when using API generated access_token (issued by request to http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token) for authorisation.
It complains on problem with DPOP validation: “msg="failed to validate token" error="got 0 dpop headers, should have 1"”
returnnil, fmt.Errorf("error making request to IdP with dpop nonce: %w", err)
}
defernonceResp.Body.Close()
returnprocessResponse(nonceResp)
}
returnprocessResponse(resp)
}
).
And backend validates only DPoP tokens.
Expected Result:
It is possible to generate DPoP-compatible token using direct API call (is it possible to use specific DPoP params?).
Also there is ongoing discussing regarding ability to optionally disable DPoP validation. It could be possible workaround if it doesn't raise additional security concerns.
Policy API calls (both gRPC and HTTP) receive "Unauthorised" error response when using API generated access_token (issued by request to http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token) for authorisation.
It complains on problem with DPOP validation: “msg="failed to validate token" error="got 0 dpop headers, should have 1"”
E.g.:
Token generated by this suggestion:
Reproducible with locally deployed Platform which uses example env setup with Auth enabled (as described in the Readme)
Additional Info:
Currently DPoP-compatible token can only be generated using SDK as per @mkleene (using
platform/sdk/internal/oauth/oauth.go
Lines 137 to 167 in 2735498
And backend validates only DPoP tokens.
Expected Result:
It is possible to generate DPoP-compatible token using direct API call (is it possible to use specific DPoP params?).
Also there is ongoing discussing regarding ability to optionally disable DPoP validation. It could be possible workaround if it doesn't raise additional security concerns.
DPoP-related issues: #566, #593
The text was updated successfully, but these errors were encountered: