Solid OIDC Primer works great for Inrupt pods, but DPoP rejects IAT on Community Solid Server

Hello! I’ve got an application running demo code for the Solid OIDC primer workflow, authenticating a static client-side app.

I’ve got the flow working great for my WebID on Inrupt’s ESS (Inrupt WebID Profile Editor) but not for my own hosted instance of Community Solid Server (

The CSS provider is throwing a 400 invalid_dpop_proof error, "“DPoP proof iat is not recent enough”.

I checked my server clock, it’s correct. I checked my client clock, it’s correct. They line up fine. If I adjust my IAT back and forth a little, no difference same error. If I adjust my IAT back and forth a LOT, no difference same error.

Everything I could find in the codebases indicates that I should have a couple minute wiggle room. My clocks are well within that tolerance, but still no dice!

Any thoughts on how to get my DPoP verified?

fwiw the demo application lives here!

If I understand correctly, the code is calculating iat in milliseconds, when it should be in seconds?

solid-client-authn-js uses the Jose library for jwt creation

jose uses Date, with a function that divides by 1000 with a floor included

If this is the issue, I’m not sure why it’s working with ess!

1 Like

Well one thing that helps explain it is that that inrupt’s ESS doesn’t appear to check the IAT at all! I can pass it 0 or a milliseconds timestamp for 2078 and it returns fine either way. So thats part of the explanation!

Using the epoch timestamp for the IAT and cross-referencing with Okta’s docs around DPoP proofs, that IS the issue!

DPoP iat expects seconds since the start of the Unix Epoch

Now I have a new problem where my code verification string has more stringent requirements on CSS than ESS, but! Progress!

Thank you @josephguillaume !

1 Like

From Inrupt’s solid-client-authn github, they are currently doing a decently sized project to bring their DPoP library up to the DPoP standard since it was finalized a few months back, so in the future the authentication should be identical, just to keep in mind.