ory
Is there a plan to implement RFC 9449 (DPoP: Demonstrating Proof of Possession)
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
Right now, the OIDC system doesn’t have a way to prove that a token is being used by the person who owns it. Since RFC 9449 (DPoP) is now a standard, adding it to OIDC would make the system more secure by preventing token misuse.
Describe your ideal solution
The ideal solution is to implement RFC 9449 (DPoP) in OIDC. This would allow the client to prove they own the token by signing each request with a key. It adds an extra layer of security by making sure tokens can’t be reused or stolen easily.
Workarounds or alternatives
Right now, we use other methods like Mutual TLS or token binding, but these are more complicated and less flexible than DPoP. Adding DPoP would simplify things and improve security.
Version
Latest
Additional Context
No response
We have an implementation available that I will be happy to contribute. However, given other PRs related to standards have remained open for a very long time, I am reluctant to invest the time unless there is engagement from the core team.
We are happy to invest time in review and improvement but need a commercial case for it given how much other work we have. Right now there is no one interested in this commercially.
@vivshankar if you want you can pull up the PR and once we have such a case we‘ll invest the time it needs.
See device auth grant, this is finally making it to master soon because we have a commercial case for it finally :) If you have a commercial case (support/enterprise license) please reach out here: www.ory.sh/contact
Hello contributors!
I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue
- open a PR referencing and resolving the issue;
- leave a comment on it and discuss ideas on how you could contribute towards resolving it;
- leave a comment and describe in detail why this issue is critical for your use case;
- open a new issue with updated details and a plan for resolving the issue.
Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.
Unfortunately, burnout has become a topic of concern amongst open-source projects.
It can lead to severe personal and health issues as well as opening catastrophic attack vectors.
The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.
If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.
Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!
Thank you 🙏✌️
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}