# CLI DPoP-Bound Authentication ## Module Authority ## Status IMPLEMENTED ## Description CLI supports DPoP-bound token authentication for secure API communication. DPoP (Demonstration of Proof-of-Possession, RFC 9449) prevents token replay attacks by binding tokens to the client's cryptographic key. ## Implementation Details - **Modules**: `src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/`, `src/Authority/StellaOps.Authority/StellaOps.Auth.Client/` - **Key Classes**: - `DpopHandlers` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs`) - server-side OpenIddict handler validating DPoP proof JWTs on token requests and API calls - `AuthoritySenderConstraintHelper` (`src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs`) - validates sender-constrained tokens by checking `jkt` (JWK thumbprint) claim against DPoP proof - `AuthoritySenderConstraintKinds` (`src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs`) - enumerates constraint types: DPoP, mTLS - `StellaOpsTokenClient` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs`) - token client used by CLI handling DPoP proof generation and token acquisition - `StellaOpsBearerTokenHandler` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsBearerTokenHandler.cs`) - HTTP delegating handler attaching DPoP proof headers to outgoing API requests - `FileTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs`) - file-based token cache for CLI profiles - `InMemoryTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/InMemoryTokenCache.cs`) - in-memory token cache - `MessagingTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/MessagingTokenCache.cs`) - messaging-backed token cache - `StellaOpsAuthClientOptions` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs`) - configuration for DPoP key material, Authority URL, client credentials - `StellaOpsApiAuthMode` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsApiAuthMode.cs`) - authentication modes (Bearer, DPoP, mTLS) - **Interfaces**: `IStellaOpsTokenClient` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenClient.cs`), `IStellaOpsTokenCache` (`src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenCache.cs`) - **Source**: Feature matrix scan ## E2E Test Plan - [ ] Configure the CLI with DPoP auth mode via `StellaOpsAuthClientOptions` and request a token; verify the response includes `token_type: DPoP` with a `jkt` claim - [ ] Use `StellaOpsBearerTokenHandler` to make an API call with a DPoP-bound token and verify `DpopHandlers` accepts it after proof validation - [ ] Attempt to replay a DPoP-bound token without the matching DPoP proof and verify `AuthoritySenderConstraintHelper` rejects with 401 - [ ] Verify the DPoP proof includes the `ath` (access token hash) claim and the server validates it matches - [ ] Verify `FileTokenCache` persists the DPoP-bound token and the CLI can resume without re-authentication - [ ] Switch `StellaOpsApiAuthMode` from DPoP to Bearer and verify the CLI falls back to standard bearer token flow