DPoP

Browser-focused implementation of OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer - draft-ietf-oauth-dpop-03.

Usage

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>it's dpop time!</title>
    <script type="module">
      import DPoP, { generateKeyPair } from 'https://cdn.jsdelivr.net/npm/dpop@^0.6.0';

      const alg = 'ES256'; // see below for other supported JWS algorithms
      
      (async () => {
        const keypair = await generateKeyPair(alg);
        
        // Access Token Request
        const accessTokenRequestProof = await DPoP(keypair, alg, 'https://op.example.com/token', 'POST');

        // Protected Resource Access
        const accessTokenValue = 'W0lFSOAgL4oxWwnFtigwmXtL3tHNDjUCXVRasB3hQWahsVvDb0YX1Q2fk7rMJ-oy';
        const protectedResourceAccessProof = await DPoP(keypair, alg, 'https://rs.example.com/resource', 'GET', accessTokenValue);
      })();
    </script>
  </head>
</html>

Note: Storage of the crypto key pair is not included, use your existing abstraction over IndexedDB to store the CryptoKey instances.

API

default module export

function DPoP(keypair: CryptoKeyPair, alg: string, htu: string, htm: string, accessToken?: string, additional?: object) => Promise<string>;

generateKeyPair named export

function generateKeyPair(alg: string): Promise<CryptoKeyPair>

Supported JWS Algorithms

| JWS Algorithms | Supported || | -- | -- | -- | | ECDSA | ✓ | ES256, ES384, ES512 | | RSASSA-PSS | ✓ | PS256, PS384, PS512 | | RSASSA-PKCS1-v1_5 | ✓ | RS256, RS384, RS512 |

Other JWS algorithms are either not eligible for use with DPoP or unsupported by the Web Cryptography API.

Prerequisites

Requires Web Cryptography API, specifically:

• crypto.subtle.generateKey - support table
• crypto.subtle.exportKey - support table
• crypto.subtle.sign - support table
• crypto.subtle.digest - support table
• crypto.getRandomValues - support table