Phase in ath

Author: Matthieu Bosquet

README.md

@@ -65,3 +65,5 @@ The `solidOidcAccessTokenVerifier` function takes an authorization header which
 - Improve default caching? Assess other libraries that might be used.
 - Evolve the type guards and the type guard library.
 - Allow http over tls on all WebIDs instead of enforcing https as per: https://github.com/solid/authentication-panel/issues/114.
+- Enforce client ID when support is wide enough as per: https://solid.github.io/solid-oidc/#tokens-access
+- Enforce DPoP ath claim when support is wide enough as per: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-03#section-4.2

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@solid/access-token-verifier",
-  "version": "0.9.4",
+  "version": "0.10.0",
   "description": "Verifies Solid OIDC access tokens via their webid claim, and thus asserts ownership of a WebID.",
   "license": "MIT",
   "keywords": [
@@ -60,9 +60,9 @@
   },
   "dependencies": {
     "cross-fetch": "^3.1.4",
-    "jose": "^3.14.0",
+    "jose": "^3.14.3",
     "lru-cache": "^6.0.0",
-    "n3": "^1.11.0",
+    "n3": "^1.11.1",
     "rdf-dereference": "^1.8.0",
     "ts-guards": "^0.5.1"
   }

package.json

@@ -0,0 +1 @@
+export * from "./isValidAthClaim";

src/algorithm/index.ts

@@ -0,0 +1,18 @@
+import { createHash } from "crypto";
+import { encode as base64UrlEncode } from "jose/util/base64url";
+
+/**
+ * Verifies the DPoP Proof ath claim
+ * The base64url encoded SHA-256 hash of the ASCII encoding of the associated access token's value.
+ * See also: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-03#section-4.2
+ */
+export function isValidAthClaim(
+  accessToken: string,
+  athClaim: string
+): boolean {
+  return (
+    base64UrlEncode(
+      createHash("sha256").update(Buffer.from(accessToken, "ascii")).digest()
+    ) === athClaim
+  );
+}

src/algorithm/isValidAthClaim.ts

@@ -2,6 +2,7 @@ import EmbeddedJWK from "jose/jwk/embedded";
 import calculateThumbprint from "jose/jwk/thumbprint";
 import jwtVerify from "jose/jwt/verify";
 import { asserts } from "ts-guards";
+import { isValidAthClaim } from "../algorithm";
 import { isSolidDPoPBoundAccessTokenPayload, isDPoPToken } from "../guard";
 import type {
   SolidAccessToken,
@@ -38,6 +39,14 @@ async function isValidProof(
   asserts.isLiteral(dpop.payload.htm, method);
   asserts.isLiteral(dpop.payload.htu, url);
   asserts.isLiteral(isDuplicateJTI(dpop.payload.jti), false);
+
+  // TODO: Phased-in ath becomes enforced
+  if (typeof dpop.payload.ath === "string" && dpop.payload.ath) {
+    asserts.isLiteral(
+      isValidAthClaim(JSON.stringify(accessToken), dpop.payload.ath),
+      true
+    );
+  }
 }
 
 /**

src/lib/DPoP.ts

@@ -22,4 +22,6 @@ export interface DPoPTokenPayload {
   htu: string;
   iat: number;
   jti: string;
+  // TODO: Phased-in ath becomes enforced
+  ath?: string;
 }

src/type/DPoPToken.ts

@@ -19,6 +19,7 @@ export interface SolidAccessTokenHeader {
 
 export interface SolidAccessTokenPayload {
   aud: "solid" | string[];
+  // TODO: Phased-in client_id becomes enforced
   client_id?: string;
   exp: number;
   iat: number;

src/type/SolidAccessToken.ts

@@ -1,10 +1,12 @@
 import jwtVerify from "jose/jwt/verify";
+import { isValidAthClaim } from "../src/algorithm/isValidAthClaim";
 import { verify } from "../src/lib/DPoP";
-import type { DPoPToken } from "../src/type";
+import type { DPoPToken, DPoPTokenPayload } from "../src/type";
 import { encodeToken } from "./fixture/EncodeToken";
 
 /* eslint-disable @typescript-eslint/no-explicit-any */
 jest.mock("jose/jwt/verify");
+jest.mock("../src/algorithm/isValidAthClaim");
 
 const dpop: DPoPToken = {
   header: {
@@ -27,6 +29,14 @@ const dpop: DPoPToken = {
     "lNhmpAX1WwmpBvwhok4E74kWCiGBNdavjLAeevGy32H3dbF0Jbri69Nm2ukkwb-uyUI4AUg1JSskfWIyo4UCbQ",
 };
 
+const dpopPayloadWithAth: DPoPTokenPayload = {
+  jti: "e1j3V_bKic8-LAEB",
+  htm: "GET",
+  htu: "https://resource.example.org/protectedresource",
+  iat: 1562262618,
+  ath: "bla",
+};
+
 const dpopRSA: DPoPToken = {
   header: {
     typ: "dpop+jwt",
@@ -79,6 +89,54 @@ describe("DPoP proof", () => {
     ).toStrictEqual(dpop);
   });
 
+  it("Checks conforming proof with EC Key and ath claim", async () => {
+    (jwtVerify as jest.Mock).mockResolvedValueOnce({
+      payload: dpopPayloadWithAth,
+      protectedHeader: dpop.header,
+    });
+    (isValidAthClaim as jest.Mock).mockReturnValueOnce(true);
+
+    expect(
+      await verify(
+        encodeToken(dpop),
+        {
+          payload: {
+            cnf: { jkt: "0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I" },
+          },
+        } as any,
+        "GET",
+        "https://resource.example.org/protectedresource",
+        () => false
+      )
+    ).toStrictEqual({
+      header: dpop.header,
+      payload: dpopPayloadWithAth,
+      signature: dpop.signature,
+    });
+  });
+
+  it("Throws on invalid ath claim", async () => {
+    (jwtVerify as jest.Mock).mockResolvedValueOnce({
+      payload: dpopPayloadWithAth,
+      protectedHeader: dpop.header,
+    });
+    (isValidAthClaim as jest.Mock).mockReturnValueOnce(false);
+
+    await expect(
+      verify(
+        encodeToken(dpop),
+        {
+          payload: {
+            cnf: { jkt: "0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I" },
+          },
+        } as any,
+        "GET",
+        "https://resource.example.org/protectedresource",
+        () => false
+      )
+    ).rejects.toThrow("Expected true, got:\nfalse");
+  });
+
   it("Checks conforming proof with RSA Key", async () => {
     (jwtVerify as jest.Mock).mockResolvedValueOnce({
       payload: dpopRSA.payload,

test/DPoP.test.ts

@@ -0,0 +1,13 @@
+import { isValidAthClaim } from "../src/algorithm/isValidAthClaim";
+
+// Example data extracted from https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-03#section-7.1
+describe("isValidAthClaim", () => {
+  it("Validates a correct claim", () => {
+    expect(
+      isValidAthClaim(
+        "Kz~8mXK1EalYznwH-LC-1fBAo.4Ljp~zsPE_NeO.gxU",
+        "fUHyO2r2Z3DZ53EsNrWBb0xWXoaNy59IiKCAqksmQEo"
+      )
+    ).toBe(true);
+  });
+});