Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy API: Authorization with API-generated token is failed with “DPoP header is absent” error. #606

Closed
sievdokymov-virtru opened this issue Apr 18, 2024 · 2 comments
Closed

Policy API: Authorization with API-generated token is failed with “DPoP header is absent” error. #606

sievdokymov-virtru opened this issue Apr 18, 2024 · 2 comments

Comments

@sievdokymov-virtru
Copy link
Member

sievdokymov-virtru commented Apr 18, 2024
edited

Policy API calls (both gRPC and HTTP) receive "Unauthorised" error response when using API generated access_token (issued by request to http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token) for authorisation.
It complains on problem with DPOP validation: “msg="failed to validate token" error="got 0 dpop headers, should have 1"”

E.g.:
AuthFailed

Token generated by this suggestion:
Token

Reproducible with locally deployed Platform which uses example env setup with Auth enabled (as described in the Readme)

Additional Info:
Currently DPoP-compatible token can only be generated using SDK as per @mkleene (using

platform/sdk/internal/oauth/oauth.go

Lines 137 to 167 in 2735498

func GetAccessToken(tokenEndpoint string, scopes []string, clientCredentials ClientCredentials, dpopPrivateKey jwk.Key) (*Token, error) {
req, err := getAccessTokenRequest(tokenEndpoint, "", scopes, clientCredentials, &dpopPrivateKey)
if err != nil {
return nil, err
}
client := http.Client{}
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("error making request to IdP with dpop nonce: %w", err)
}
defer resp.Body.Close()
if nonceHeader := resp.Header.Get("dpop-nonce"); nonceHeader != "" && resp.StatusCode == http.StatusBadRequest {
nonceReq, err := getAccessTokenRequest(tokenEndpoint, nonceHeader, scopes, clientCredentials, &dpopPrivateKey)
if err != nil {
return nil, err
}
nonceResp, err := client.Do(nonceReq)
if err != nil {
return nil, fmt.Errorf("error making request to IdP with dpop nonce: %w", err)
}
defer nonceResp.Body.Close()
return processResponse(nonceResp)
}
return processResponse(resp)
}
).
And backend validates only DPoP tokens.

Expected Result:
It is possible to generate DPoP-compatible token using direct API call (is it possible to use specific DPoP params?).

Also there is ongoing discussing regarding ability to optionally disable DPoP validation. It could be possible workaround if it doesn't raise additional security concerns.

DPoP-related issues: #566, #593
@mkleene
Copy link
Contributor

mkleene commented Apr 23, 2024

#617 should resolve this

@sievdokymov-virtru
Copy link
Member Author

Addressed by ability to disable DPoP verification introduced in #617. Verified/Fixed.
Closing as Done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkleene @sievdokymov-virtru