From what I gather it\u2019s mainly targeted at public clients like single-page applications. However, now even our traditional server-side web apps that let clients log in via Okta no longer work and it looks like the framework doesn\u2019t provide support for this new standard yet.<\/p>\n\n\n\n
Dear Joris, I don\u2019t know what to do: my manager is asking me every day when I will have resolved this blocking issue, but I don\u2019t even know where to start! Can you please offer some of your advice? Ideally for free?<\/p>\n\n\n\n
Restless in Rotterdam<\/em><\/p>\n\n\n\n I can see how this issue is keeping you awake at night: this \u201cDemonstrating Proof of Possession\u201d standard is pretty new and indeed not yet supported when you configure Spring Security with OIDC. As I can imagine that other readers of this advice column are struggling with the same issue that you\u2019re facing, I\u2019ve created a sample application that shows how to go about this. Fear not: I\u2019m sure that with my help you\u2019ll be able to solve your problems in no time! Well, the DPoP-related ones, at least. <\/p>\n\n\n\n Proof of Possession means that you can prove that when you\u2019re sending JWTs with OIDC, they really came from you and weren\u2019t leaked to be used for things like replay attacks. There\u2019s plenty of info on the web that provides more background, but for Okta you should at least read their documentation on their support<\/a>.<\/p>\n\n\n\n What you can see there is that in order to successfully interact with the When you\u2019ve managed to do that, you\u2019re not done yet. A Spring Security application using OIDC will also interact with a If you\u2019re just feeling yourself tumbling into the pit of despair after reading all of that, fear not: I\u2019ll walk you through the required steps.<\/p>\n\n\n\n At the core of DPoP is the creation of the signed JWT that\u2019s your DPoP header value. Let\u2019s create a token manager that knows how to do that.<\/p>\n\n\n Spring Security\u2019s OAuth 2 client support comes with a dependency on the Nimbus JOSE + JWT library<\/a>. We\u2019re using that to generate an RSA-based JWK if one isn\u2019t explicitly configured and to create and sign a JWT with the header and claims that we need for DPoP. <\/p>\n\n\n\n We\u2019ll add methods to this class to enrich the HTTP requests we send to Okta in a moment. <\/p>\n\n\n\n We\u2019ll start to implement first steps of the DPoP flow as shown in Okta\u2019s documentation:<\/p>\n\n\n\n Note that Okta acts as the Authorization server in our case and our own application is the OIDC client. That\u2019s because our security is handled in the backend application, rather than an application client. It turns out that in Spring Security, the steps used to obtain an access and ID token are coordinated by an What do we need to customize? As it turns out, several things:<\/p>\n\n\n\n All moving parts of the framework that handle the regular OIDC flow can be replaced through configuration. Here\u2019s an implementation:<\/p>\n\n\nDear Restless in Rotterdam,<\/h1>\n\n\n\n
However, please keep in mind that Spring Security is a framework: it has been created with extensibility in mind, so the solution lies in finding the right extension points to then implement the necessary support yourself.<\/p>\n\n\n\nDemonstrating what<\/em> and how<\/em>, exactly?<\/h2>\n\n\n\n
\/token<\/code> endpoint, you have to add a DPoP request header with a JWT that\u2019s signed using a dedicated RSA-based JWK.
When doing that for the first time, the server will respond with a 400 Bad Request that contains a nonce as a response header. You then need to repeat your request with that nonce incorporated as a claim in your signed JWT. You should cache that nonce and refresh it every 24 hours.<\/p>\n\n\n\n\/userinfo<\/code> endpoint if the response of the \/token<\/code> endpoint includes some of the expected scopes. For that, DPoP requires you to use the returned access token as an \u201cAuthorization: DPoP <token><\/code>\u201d header AND to send a DPoP header with an additional \u201cath<\/code>\u201d claim containing the Base64-encoded SHA-256 hash of that same access token (which is an Okta-specific requirement, BTW).<\/p>\n\n\n\nSign on the dotted line<\/h2>\n\n\n\n
\n@Component\npublic class DpopTokenManager {\n\n private final Logger logger = LoggerFactory.getLogger(getClass());\n private final JWSSignerFactory jwsSignerFactory = new DefaultJWSSignerFactory();\n\n private volatile JWK jwk;\n private volatile String nonce;\n\n \/**\n * Should be reset every 24 hours.\n * @see <a href="https:\/\/developer.okta.com\/docs\/guides\/dpop\/nonoktaresourceserver\/main\/#configure-dpop">Okta docs<\/a>\n *\/\n @Scheduled(fixedDelay = 1000L * 60L * 60L * 24L)\n public void resetNonce() {\n this.nonce = null;\n logger.info("DPoP nonce reset");\n }\n\n public void setNonce(String nonce) {\n this.nonce = nonce;\n }\n\n \/\/ ...\n \n private String generateDpopToken(RequestEntity<?> request, String ath) {\n try {\n \/\/ could also be fixated via config using RSAKey.parse()\n if (this.jwk == null) {\n this.jwk = new RSAKeyGenerator(2048).keyID("1").generate();\n }\n var claimsBuilder = new JWTClaimsSet.Builder()\n .claim("htu", request.getUrl().toString())\n .claim("htm", request.getMethod().toString())\n .issueTime(new Date())\n .jwtID(UUID.randomUUID().toString());\n if (ath != null) {\n claimsBuilder.claim("ath", ath);\n } else if (this.nonce != null) {\n claimsBuilder.claim("nonce", this.nonce);\n }\n var signedJWT = new SignedJWT(\n new JWSHeader.Builder(JWSAlgorithm.RS256)\n .jwk(this.jwk.toPublicJWK())\n .type(new JOSEObjectType("dpop+jwt"))\n .build(),\n claimsBuilder.build());\n signedJWT.sign(jwsSignerFactory.createJWSSigner(this.jwk));\n return signedJWT.serialize();\n } catch (JOSEException e) {\n throw new RuntimeException("Can't generate DpopToken", e);\n }\n }\n}\n<\/pre><\/div>\n\n\nGo with the flow<\/h2>\n\n\n\n
![](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeTYu-i2dhcOWx0b2TtuxlZkaNggJocSbJBlmbhV60KRhqtt4qX2ZSa2kNOaoTxeucjXu8wG_wALKkrPPchAkoalH9_7mZuVQ8YhgImhpJYMReEWJCAe4e2HYO4wMz6uDreyc9KYQ?key=-DGiwD3sGNBWSBM23nx2dJRY\")
Step 1 has been implemented in the code already shown. So where do we start to add support for the other steps?<\/p>\n\n\n\nOAuth2AccessTokenResponseClient<\/code>. The default implementation for that is the DefaultAuthorizationCodeTokenResponseClient<\/code> (or, in the latest Spring Security version which deprecates that class, the RestClientAuthorizationCodeTokenResponseClient<\/code>; I\u2019ll focus on the former for this column, as most readers won\u2019t be on the very latest yet).
That default has no support for DPoP, however, and assumes that it\u2019ll receive a Bearer token rather than a DPoP token as a response. Let\u2019s fix that by providing our own implementation, based on the default.<\/p>\n\n\n\n\n
\n@Component\npublic class DpopAuthorizationCodeTokenResponseClient implements OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> {\n private static final String INVALID_TOKEN_RESPONSE_ERROR_CODE = "invalid_token_response";\n\n private final DpopTokenManager tokenManager;\n private final OAuth2AuthorizationCodeGrantRequestEntityConverter requestEntityConverter \n = new OAuth2AuthorizationCodeGrantRequestEntityConverter();\n private final RestTemplate restTemplate;\n\n public DpopAuthorizationCodeTokenResponseClient(DpopTokenManager tokenManager) {\n this.tokenManager = tokenManager;\n var oAuth2AccessTokenResponseHttpMessageConverter = new OAuth2AccessTokenResponseHttpMessageConverter();\n oAuth2AccessTokenResponseHttpMessageConverter.setAccessTokenResponseConverter(\n new CustomTokenResponseConverter());\n this.restTemplate = new RestTemplate(List.of(\n new FormHttpMessageConverter(), oAuth2AccessTokenResponseHttpMessageConverter));\n restTemplate.setErrorHandler(new DPopAwareOAuth2ErrorResponseErrorHandler());\n }\n\n @Override\n public OAuth2AccessTokenResponse getTokenResponse(OAuth2AuthorizationCodeGrantRequest authorizationGrantRequest) {\n RequestEntity<?> request = requestEntityConverter.convert(authorizationGrantRequest);\n ResponseEntity<OAuth2AccessTokenResponse> response;\n try {\n try {\n response = this.restTemplate.exchange(tokenManager.withDpopHeader(request), OAuth2AccessTokenResponse.class);\n } catch (DpopChallengeExceptionException e) {\n tokenManager.setNonce(e.nonce);\n response = this.restTemplate.exchange(tokenManager.withDpopHeader(request), OAuth2AccessTokenResponse.class);\n }\n } catch (RestClientException ex) {\n var oauth2Error = new OAuth2Error(INVALID_TOKEN_RESPONSE_ERROR_CODE,\n "An error occurred while attempting to retrieve the OAuth 2.0 Access Token Response: " + ex.getMessage(), null);\n throw new OAuth2AuthorizationException(oauth2Error, ex);\n }\n OAuth2AccessTokenResponse tokenResponse = response.getBody();\n Assert.notNull(tokenResponse,\n "The authorization server responded to this Authorization Code grant request with an empty body; as such, it cannot be materialized into an OAuth2AccessTokenResponse instance. Please check the HTTP response code in your server logs for more details.");\n return tokenResponse;\n }\n}\n<\/pre><\/div>\n\n\n
![](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXfaBc9CtmnbeyJcLQOZYzXhVqznctXdueZxsp_pqSff6bF1MEz7U7Aa9VxGig8sm64VAIXLlXOXd7CnexhHHxzRsDJPMpO1G6HzzA82CD874lhVo7YJTUdYOqT6Q-b8YK4YoTUL?key=-DGiwD3sGNBWSBM23nx2dJRY\")
<\/p>\n\n\n\n