This is a continuation of The use of DPoP in the /token endpoint.
To reiterate and update: I’m building an iOS native mobile (Swift) authentication library for Solid pods. The design is intended to have the initial part of the authentication (up to and including the browser redirect) work only on the iOS client and later steps (e.g., requests to refresh access tokens using the refresh token) work either on iOS or on backend Swift-based servers (e.g., running on Linux).
I’m building this library for general use in iOS apps, and for my specific project. In my project, I also need to send an id token (or access token) up to my custom server in an initial request. In order to have this happen, I’m going to do the initial /token endpoint request on the iOS client-- Because not all issuers give id token earlier in an authorization sequence.
Proceeding on that basis, I had also not been adding a DPoP header to this initial /token request. In part because the issuers I’m working with so far don’t fail when /token requests are made without a DPoP header, and in part just because its simpler not to have a public/private key pair on my iOS client.
I’m now doing testing of the code that will make resource requests in my server, using the refresh token generated in the above manner, and I’m getting a 401 response with the failure:
Www-Authenticate"): "Bearer realm=“https://solidcommunity.net”, scope=“openid webid”, error=“invalid_token”, error_description=“Cannot read property ‘jkt’ of undefined”
This is coming from a resource request I’m making to a Solid server (a HEAD request to https://crspybits.solidcommunity.net/NewDirectory).
I suspect this is because I didn’t use a DPoP header in my /token request that generated the refresh token. I think the error message is effectively saying it doesn’t have my public key in the access token I’m sending in the HEAD request.
If my reasoning is correct, then it looks like I have to have a public/private key pair on the iOS mobile client.
And if so, I’m wondering that public/private key pair has to the same as on my custom server-- which generates DPoP’s to make resource requests. I hope this isn’t needed because that sounds like a security problem-- to have the same public/private key pair on my client and custom server.