Solid OIDC Primer works great for Inrupt pods, but DPoP rejects IAT on Community Solid Server

nikolaswise · April 17, 2024, 9:34am

Hello! I’ve got an application running demo code for the Solid OIDC primer workflow, authenticating a static client-side app.

I’ve got the flow working great for my WebID on Inrupt’s ESS (Inrupt WebID Profile Editor) but not for my own hosted instance of Community Solid Server (https://nkws.login.stucco.software/profile/card).

The CSS provider is throwing a 400 invalid_dpop_proof error, "“DPoP proof iat is not recent enough”.

I checked my server clock, it’s correct. I checked my client clock, it’s correct. They line up fine. If I adjust my IAT back and forth a little, no difference same error. If I adjust my IAT back and forth a LOT, no difference same error.

Everything I could find in the codebases indicates that I should have a couple minute wiggle room. My clocks are well within that tolerance, but still no dice!

Any thoughts on how to get my DPoP verified?

nikolaswise · April 17, 2024, 11:04am

fwiw the demo application lives here!

https://solid-authentication.rdf.systems/

josephguillaume · April 17, 2024, 11:14pm

If I understand correctly, the code is calculating iat in milliseconds, when it should be in seconds?

solid-client-authn-js uses the Jose library for jwt creation

github.com

inrupt/solid-client-authn-js/blob/2375a39b48c89d5cd624496507c59483fe56592f/packages/core/src/authenticatedFetch/dpopUtils.ts#L68


      
            return new SignJWT({
              htu: normalizeHTU(audience),
              htm: method.toUpperCase(),
              jti: v4(),
            })
              .setProtectedHeader({
                alg: PREFERRED_SIGNING_ALG[0],
                jwk: dpopKey.publicKey,
                typ: "dpop+jwt",
              })
              .setIssuedAt()
              .sign(dpopKey.privateKey, {});
          }
          
          export async function generateDpopKeyPair(): Promise<KeyPair> {
            const { privateKey, publicKey } = await generateKeyPair(
              PREFERRED_SIGNING_ALG[0],
            );
            const dpopKeyPair = {
              privateKey,
              publicKey: await exportJWK(publicKey),

jose uses Date, with a function that divides by 1000 with a floor included

github.com

panva/jose/blob/a0fc293fb78e6a49758dd5fc0c10e01843f1e78e/src/jwt/produce.ts#L160


      
           * alias for a year.
           *
           * If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets
           * subtracted from the current unix timestamp. A "from now" suffix can also be used for
           * readability when adding to the current unix timestamp.
           *
           * @param input "iat" (Expiration Time) Claim value to set on the JWT Claims Set.
           */
          setIssuedAt(input?: number | string | Date) {
            if (typeof input === 'undefined') {
              this._payload = { ...this._payload, iat: epoch(new Date()) }
            } else if (input instanceof Date) {
              this._payload = { ...this._payload, iat: validateInput('setIssuedAt', epoch(input)) }
            } else if (typeof input === 'string') {
              this._payload = {
                ...this._payload,
                iat: validateInput('setIssuedAt', epoch(new Date()) + secs(input)),
              }
            } else {
              this._payload = { ...this._payload, iat: validateInput('setIssuedAt', input) }
            }

github.com

panva/jose/blob/a0fc293fb78e6a49758dd5fc0c10e01843f1e78e/src/lib/epoch.ts

export default (date: Date) => Math.floor(date.getTime() / 1000)

If this is the issue, I’m not sure why it’s working with ess!

nikolaswise · April 18, 2024, 7:35am

Well one thing that helps explain it is that that inrupt’s ESS doesn’t appear to check the IAT at all! I can pass it 0 or a milliseconds timestamp for 2078 and it returns fine either way. So thats part of the explanation!

Using the epoch timestamp for the IAT and cross-referencing with Okta’s docs around DPoP proofs, that IS the issue!

DPoP iat expects seconds since the start of the Unix Epoch

Now I have a new problem where my code verification string has more stringent requirements on CSS than ESS, but! Progress!

Thank you @josephguillaume !

gaz009 · April 18, 2024, 5:57pm

From Inrupt’s solid-client-authn github, they are currently doing a decently sized project to bring their DPoP library up to the DPoP standard since it was finalized a few months back, so in the future the authentication should be identical, just to keep in mind.

Topic		Replies	Views
Solid Community Server - Bad Request / 400	2	513	December 11, 2021
Inrupt pod login complains about an invalid_client Solid App Development FAQs	18	2331	April 11, 2022
Login to a custom setup SOLID server via an app	8	818	November 29, 2021
Community Server DPoP Error Solid: The Basics	0	598	June 3, 2021
Solid Pod with JWT Verification	21	1194	August 23, 2021

Solid OIDC Primer works great for Inrupt pods, but DPoP rejects IAT on Community Solid Server

Related Topics