Access token cnf does not match the DPoP header JWK

Hi there, i request a accesToken at solidcommunity and get this one:

Header:
{
  "alg": "RS256",
  "kid": "JqKos_btHpg"
}

Payload:
{
  "iss": "https://solidcommunity.net",
  "aud": [
    "3d542a42bf3ccfbbexxxxxxxxx"
  ],
  "sub": "https://naturzukunft.solidcommunity.net/profile/card#me",
  "exp": 1606977648,
  "iat": 1605768048,
  "jti": "4388433830923e92",
  "cnf": {
    "jkt": "trHYl6BghksqdTyagExxxxxxxxxxxx"
  }
}

Then i do a GET https://naturzukunft.solidcommunity.net/inbox/
with the HTTP Headers:
Authorization - "DPoP <accessTokenSeeAbove>"
DPoP - "<myDPoPToken>"

myDPoPToken:

Header:
{
  "typ": "dpop+jwt",
  "alg": "RS256",
  "jwk": {
    "kty": "RSA",
    "e": "AQAB",
    "alg": "RS256",
    "n": "ALFYcxxxxxxxxxxxxxxx"
  }  
}

Payload:
{
  "htm": "GET",
  "htu": "https://naturzukunft.solidcommunity.net/inbox/",
  "iat": 1605768120,
  "jti": "b26f9133-ec8f-48f5-9957-7d9ae0bca4f3"
}

and get a 401 UNAUTHORIZED response with the headers:

Header: X-Powered-By-solid-server/5.5.3
Header: Vary-Accept, Authorization, Origin
Header: Access-Control-Allow-Credentials-true
Header: Access-Control-Expose-Headers-Authorization, User, Location, Link, Vary, Last-Modified, ETag, Accept-Patch, Accept-Post, Updates-Via, Allow, WAC-Allow, Content-Length, WWW-Authenticate, MS-Author-Via
Header: Allow-OPTIONS, HEAD, GET, PATCH, POST, PUT, DELETE
Header: WWW-Authenticate-Bearer realm="https://solidcommunity.net", scope="openid webid", error="invalid_token", error_description="Access token cnf does not match the DPoP header JWK"
Header: Link-<.acl>; rel="acl", <.meta>; rel="describedBy", <http://www.w3.org/ns/ldp#Container>; rel="type", <http://www.w3.org/ns/ldp#BasicContainer>; rel="type"
Header: Content-Type-text/html; charset=utf-8
Header: Content-Length-1042
Header: ETag-W/"412-6DsNwrgfO9+oIbmr3DXCzqpmc2w"
Header: Date-Thu, 19 Nov 2020 06:49:44 GMT
Header: Connection-keep-alive

Does anybody know this “Access token cnf does not match the DPoP header JWK” problem and see an error?

Thanks Fredy

I fixed it. after days/weeks i’m able to read private data :wink:
The problem was my DPoP Token cache. i made a mistake with the cacheid. This ends in different DPoP Tokens with new Timestamp, PublicKey, etc.

1 Like

I’ve been combing the forum for tips on getting private data using solid-auth-client / OIDC, which I have working in the normal way, but not through my home-made proxy. Hope you don’t mind my dropping in here to mention it. Looks like you have some insight into making authentication/authorization work. If you have a few minutes, and feel like taking a look: