stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
docs/features/checked/authority/cli-dpop-bound-authentication.md Normal file
View File

@@ -0,0 +1,34 @@
# CLI DPoP-Bound Authentication
## Module
Authority
## Status
IMPLEMENTED
## Description
CLI supports DPoP-bound token authentication for secure API communication. DPoP (Demonstration of Proof-of-Possession, RFC 9449) prevents token replay attacks by binding tokens to the client's cryptographic key.
## Implementation Details
- **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/`, `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/`
- **Key Classes**:
- `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - server-side OpenIddict handler validating DPoP proof JWTs on token requests and API calls
- `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates sender-constrained tokens by checking `jkt` (JWK thumbprint) claim against DPoP proof
- `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - enumerates constraint types: DPoP, mTLS
- `StellaOpsTokenClient` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs`) - token client used by CLI handling DPoP proof generation and token acquisition
- `StellaOpsBearerTokenHandler` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsBearerTokenHandler.cs`) - HTTP delegating handler attaching DPoP proof headers to outgoing API requests
- `FileTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs`) - file-based token cache for CLI profiles
- `InMemoryTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/InMemoryTokenCache.cs`) - in-memory token cache
- `MessagingTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/MessagingTokenCache.cs`) - messaging-backed token cache
- `StellaOpsAuthClientOptions` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs`) - configuration for DPoP key material, Authority URL, client credentials
- `StellaOpsApiAuthMode` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsApiAuthMode.cs`) - authentication modes (Bearer, DPoP, mTLS)
- **Interfaces**: `IStellaOpsTokenClient` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenClient.cs`), `IStellaOpsTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenCache.cs`)
- **Source**: Feature matrix scan
## E2E Test Plan
- [ ] Configure the CLI with DPoP auth mode via `StellaOpsAuthClientOptions` and request a token; verify the response includes `token_type: DPoP` with a `jkt` claim
- [ ] Use `StellaOpsBearerTokenHandler` to make an API call with a DPoP-bound token and verify `DpopHandlers` accepts it after proof validation
- [ ] Attempt to replay a DPoP-bound token without the matching DPoP proof and verify `AuthoritySenderConstraintHelper` rejects with 401
- [ ] Verify the DPoP proof includes the `ath` (access token hash) claim and the server validates it matches
- [ ] Verify `FileTokenCache` persists the DPoP-bound token and the CLI can resume without re-authentication
- [ ] Switch `StellaOpsApiAuthMode` from DPoP to Bearer and verify the CLI falls back to standard bearer token flow