Next: , Previous: , Up: The Json Web Token   [Contents][Index]


8.7 DPoP proofs

The (webid-oidc dpop-proof) module contains a definition for the DPoP proof token.

Class: <dpop-proof> (<single-use-token>) typ jwk htm htu ath

The DPoP proof is a token that is issued by the client, and presented to the resource server along with an access token. It is only valid for one request, and for one use. So, it should have a very short validity frame, for instance 30 seconds, and should only be valid for a specific request method htm and a specific request URI htu, down to the path, but ignoring the query and fragment.

The DPoP proof is the proof of possession of jwk, a public key. It should always have a typ field set to "dpop+jwt".

To construct a DPoP proof, you would either need #:jwt-header and #:jwt-payload, as for any token, or a combination of parameters:

This token class makes a stricter verification function. It requires you to set as a keyword argument in decode the following parameters:

#:access-token

set the access token that should go with the proof, defaults to #f (no access token);

#:method

set the method used for the proof;

#:uri

set the URI used for the proof;

#:cnf/check

set the expected hash of the key used by the DPoP proof, or a function taking a public key hash. If this is a function, it should raise an exception if the hash is invalid, because its return value is ignored.

Generic: jwk proof

Return the public key whose possession proof demonstrates.

Generic: htm proof

Return the HTTP method in proof, as a symbol.

Generic: htu proof

Return the HTTP URI in proof, as an URI.

Generic: ath proof

Return the hash of the access token that should go with proof, or #f if proof is not used with an access token.

Generic: typ proof

Return "dpop+jwt".

Exception type: &invalid-dpop-proof

This exception is raised when the DPoP proof is invalid.

function: make-invalid-dpop-proof

Construct an exception of type &invalid-dpop-proof.

function: invalid-dpop-proof? exception

Check whether exception was raised because of an invalid DPoP proof.

Exception type: &dpop-method-mismatch advertised actual

This exception is raised when the advertised method is not what is actually used in the request (both symbols).

function: make-dpop-method-mismatch advertised actual

Construct an exception of type &dpop-method-mismatch.

function: dpop-method-mismatch? exception

Check whether exception was raised because of a difference between the advertised and actual HTTP methods used.

function: dpop-method-mismatch-advertised exception

In case of a DPoP method mismatch causing exception, return the method used in the proof signature.

function: dpop-method-mismatch-actual exception

In case of a DPoP method mismatch causing exception, return the method that the server received.

Exception type: &dpop-uri-mismatch advertised actual

This exception is raised when the advertised URI is not what is actually used in the request (both URIs).

function: make-dpop-uri-mismatch advertised actual

Construct an exception of type &dpop-uri-mismatch.

function: dpop-uri-mismatch? exception

Check whether exception was raised because of a difference between the advertised and actual HTTP URIs used.

function: dpop-uri-mismatch-advertised exception

In case of a DPoP URI mismatch causing exception, return the URI used in the proof signature.

function: dpop-uri-mismatch-actual exception

In case of a DPoP URI mismatch causing exception, return the URI that the server received.

Exception type: &dpop-invalid-ath hash access-token

This exception is raised when the DPoP proof is intended for use along with an access token identified by hash, but is actually used along with access-token.

function: make-dpop-invalid-ath hash access-token

Construct an exception of type &dpop-invalid-ath.

function: dpop-invalid-ath? exception

Check whether exception was raised because the DPoP proof was not used with the correct access token.

function: dpop-invalid-ath-hash exception

In case of a DPoP presented with the wrong access token, causing exception, return the hash of the intended access token.

function: dpop-invalid-ath-access-token exception

In case of a DPoP presented with the wrong access token, causing exception, return the actual access token.

Exception type: &dpop-unconfirmed-key

This exception is raised when the DPoP proof does not demonstrate the possession of the correct key.

function: make-dpop-unconfirmed-key

Construct an exception of type &dpop-unconfirmed-key.

function: dpop-unconfirmed-key? exception

Check whether exception was raised because the DPoP proof demonstrated the possession of an incorrect key.


Next: , Previous: , Up: The Json Web Token   [Contents][Index]