stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
d0f2cc3b2cf0dfa4b1ea69737ad5ebd02089fbc6
git.stella-ops.org/docs/features/checked/authority/cli-dpop-bound-authentication.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.3 KiB
Raw Blame History

CLI DPoP-Bound Authentication

Module

Authority

Status

IMPLEMENTED

Description

CLI supports DPoP-bound token authentication for secure API communication. DPoP (Demonstration of Proof-of-Possession, RFC 9449) prevents token replay attacks by binding tokens to the client's cryptographic key.

Implementation Details

  • Modules: src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/, src/Authority/StellaOps.Authority/StellaOps.Auth.Client/
  • Key Classes:
    • DpopHandlers (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/Handlers/DpopHandlers.cs) - server-side OpenIddict handler validating DPoP proof JWTs on token requests and API calls
    • AuthoritySenderConstraintHelper (src/Authority/StellaOps.Authority/StellaOps.Authority/OpenIddict/AuthoritySenderConstraintHelper.cs) - validates sender-constrained tokens by checking jkt (JWK thumbprint) claim against DPoP proof
    • AuthoritySenderConstraintKinds (src/Authority/StellaOps.Authority/StellaOps.Authority/Security/AuthoritySenderConstraintKinds.cs) - enumerates constraint types: DPoP, mTLS
    • StellaOpsTokenClient (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsTokenClient.cs) - token client used by CLI handling DPoP proof generation and token acquisition
    • StellaOpsBearerTokenHandler (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsBearerTokenHandler.cs) - HTTP delegating handler attaching DPoP proof headers to outgoing API requests
    • FileTokenCache (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/FileTokenCache.cs) - file-based token cache for CLI profiles
    • InMemoryTokenCache (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/InMemoryTokenCache.cs) - in-memory token cache
    • MessagingTokenCache (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/MessagingTokenCache.cs) - messaging-backed token cache
    • StellaOpsAuthClientOptions (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsAuthClientOptions.cs) - configuration for DPoP key material, Authority URL, client credentials
    • StellaOpsApiAuthMode (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/StellaOpsApiAuthMode.cs) - authentication modes (Bearer, DPoP, mTLS)
  • Interfaces: IStellaOpsTokenClient (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenClient.cs), IStellaOpsTokenCache (src/Authority/StellaOps.Authority/StellaOps.Auth.Client/IStellaOpsTokenCache.cs)
  • Source: Feature matrix scan

E2E Test Plan

  • Configure the CLI with DPoP auth mode via StellaOpsAuthClientOptions and request a token; verify the response includes token_type: DPoP with a jkt claim
  • Use StellaOpsBearerTokenHandler to make an API call with a DPoP-bound token and verify DpopHandlers accepts it after proof validation
  • Attempt to replay a DPoP-bound token without the matching DPoP proof and verify AuthoritySenderConstraintHelper rejects with 401
  • Verify the DPoP proof includes the ath (access token hash) claim and the server validates it matches
  • Verify FileTokenCache persists the DPoP-bound token and the CLI can resume without re-authentication
  • Switch StellaOpsApiAuthMode from DPoP to Bearer and verify the CLI falls back to standard bearer token flow