Feature Request: Add Support for OAuth 2.0 DPoP (RFC 9449) Validation #1960
Description
Feature description
Hi Micronaut Team,
I would like to request consideration for adding built-in support for OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) validation, as specified in RFC 9449, to the Micronaut Security.
Motivation:
DPoP provides a significant security enhancement over standard bearer tokens by cryptographically binding the token to the specific client making the request. This sender-constraining mechanism effectively mitigates the risk of stolen access tokens being misused, a common vulnerability with bearer tokens, especially for public clients like mobile apps and Single Page Applications (SPAs). As security standards evolve (e.g., requirements in FAPI 2.0 Security Profile), DPoP is becoming increasingly important for building highly secure applications.
Current Situation:
While Micronaut Security offers excellent support for validating standard bearer tokens (JWTs), implementing DPoP validation currently requires custom code. This involves manually parsing the DPoP header, validating the DPoP proof JWT (signature, claims like htu, htm, jti, iat), extracting the cnf.jkt claim from the access token, calculating and comparing JWK thumbprints, and integrating this custom logic into the security filter chain.
Comparison & Importance:
We've noticed that other major Java frameworks like Spring Security (in recent versions) and Quarkus (via its OIDC extension) have added native support for DPoP validation, simplifying its adoption for developers using those platforms. Having this capability within Micronaut would align it with these evolving security best practices and make it easier for developers to build more secure applications.
Request:
Are there any plans to incorporate built-in DPoP validation capabilities into a future release of Micronaut Security?
Having out-of-the-box support, likely configurable similarly to existing authentication mechanisms, would greatly reduce implementation complexity and encourage the adoption of this more secure standard within the Micronaut ecosystem. Ideally, this would handle the core validation steps:
Parsing the DPoP header.
Validating the DPoP proof signature using the embedded JWK.
Validating standard DPoP claims (htu, htm, iat, jti).
Validating the binding between the DPoP proof's public key and the access token's cnf.jkt claim.
Thank you for considering this feature request and for your fantastic work on the Micronaut framework.