New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Question]: Support for DPoP from RFC 9449 #1891
Comments
Hi @jonathanantoine thanks At present this is not possible from a public client. You need to keep a secret for this. Maybe at some stage, the browsers support non exportable certificates, then this would be possible, but I believe this is not possible yet Kind regards Damien |
Hello @damienbod , The goal of this RFC is to provide DPoP for public client and especially browsers. Am I missing something? |
Hi @jonathanantoine To use DPoP you need a certificate with public/private. The private part or the secret is in the client. One way this could work in the future is when browsers support non exportable certificates. Then we could use DPoP |
First of all, thanks for answering me @damienbod . Can't we use the Subtle crypto JavaScript api ? The idea is to generate a private key for each authentication session. The key would still be accessible if you can execute code in the same context but this is less probable and the tokens would not be usable by their own. |
Is your feature request related to a problem? Please describe.
Is it planned to support the RFC 9449 now that its official :)
https://www.rfc-editor.org/rfc/rfc9449
Describe the solution you'd like
Out of the box support via configuraiton of the RFC 9449.
Additional context
Thanks a lot for your hard work.
The text was updated successfully, but these errors were encountered: