From 89d133edf5090e017ef353a00ecaf578fee2f178 Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Fri, 8 Sep 2023 08:43:55 +0200 Subject: [PATCH] feat(DPoP): remove experimental flag, DPoP is now RFC9449 --- README.md | 4 ++-- docs/README.md | 7 ++----- lib/helpers/defaults.js | 8 +------- lib/helpers/features.js | 7 +------ 4 files changed, 6 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index da722aee8..a031e3b60 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ _Note that not all features are enabled by default, check the configuration sect - [`RFC9101` - OAuth 2.0 JWT-Secured Authorization Request (`JAR`)][jar] - [`RFC9126` - OAuth 2.0 Pushed Authorization Requests (`PAR`)][par] - [`RFC9207` - OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response][iss-auth-resp] +- [`RFC9449` - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`)][dpop] - [Financial-grade API Security Profile 1.0 - Part 2: Advanced (`FAPI 1.0`)][fapi] - [JWT Secured Authorization Response Mode for OAuth 2.0 (`JARM`)][jarm] - [OIDC Client Initiated Backchannel Authentication Flow (`CIBA`)][ciba] @@ -48,7 +49,6 @@ The following draft specifications are implemented by oidc-provider: - [JWT Response for OAuth Token Introspection - draft 10][jwt-introspection] - [Financial-grade API: Client Initiated Backchannel Authentication Profile (`FAPI-CIBA`) - Implementer's Draft 01][fapi-ciba] -- [OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) - draft 11][dpop] Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde `~` operator in your @@ -129,7 +129,7 @@ actions and i.e. emit metrics that react to specific triggers. See the list of a [jwt-introspection]: https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-10 [sponsor-auth0]: https://a0.to/try-auth0 [mtls]: https://www.rfc-editor.org/rfc/rfc8705.html -[dpop]: https://tools.ietf.org/html/draft-ietf-oauth-dpop-11 +[dpop]: https://www.rfc-editor.org/rfc/rfc9449.html [resource-indicators]: https://www.rfc-editor.org/rfc/rfc8707.html [jarm]: https://openid.net/specs/oauth-v2-jarm.html [jwt-at]: https://www.rfc-editor.org/rfc/rfc9068.html diff --git a/docs/README.md b/docs/README.md index 29faea832..f650d6106 100644 --- a/docs/README.md +++ b/docs/README.md @@ -850,12 +850,9 @@ _**default value**_: ### features.dPoP -[draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) +[`RFC9449`](https://www.rfc-editor.org/rfc/rfc9449.html) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) -Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation [here](https://www.npmjs.com/package/dpop). - - -_**recommendation**_: Updates to draft specification versions are released as MINOR library versions, if you utilize these specification implementations consider using the tilde `~` operator in your package.json since breaking changes may be introduced as part of these version updates. Alternatively, [acknowledge](#features) the version and be notified of breaking changes as part of your CI. +Enables `DPoP` - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation [here](https://www.npmjs.com/package/dpop). _**default value**_: diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js index b39a5712f..d4e8b5a45 100644 --- a/lib/helpers/defaults.js +++ b/lib/helpers/defaults.js @@ -872,17 +872,11 @@ function makeDefaults() { /* * features.dPoP * - * title: [draft-ietf-oauth-dpop-11](https://tools.ietf.org/html/draft-ietf-oauth-dpop-11) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) + * title: [`RFC9449`](https://www.rfc-editor.org/rfc/rfc9449.html) - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (`DPoP`) * * description: Enables `DPoP` - mechanism for sender-constraining tokens via a * proof-of-possession mechanism on the application level. Browser DPoP proof generation * [here](https://www.npmjs.com/package/dpop). - * - * recommendation: Updates to draft specification versions are released as MINOR library versions, - * if you utilize these specification implementations consider using the tilde `~` operator - * in your package.json since breaking changes may be introduced as part of these version - * updates. Alternatively, [acknowledge](#features) the version and be notified of breaking - * changes as part of your CI. */ dPoP: { enabled: false, diff --git a/lib/helpers/features.js b/lib/helpers/features.js index 061803ed5..5ed9453b4 100644 --- a/lib/helpers/features.js +++ b/lib/helpers/features.js @@ -5,6 +5,7 @@ export const STABLE = new Set([ 'clientCredentials', 'deviceFlow', 'devInteractions', + 'dPoP', 'encryption', 'fapi', 'introspection', @@ -22,12 +23,6 @@ export const STABLE = new Set([ ]); export const DRAFTS = new Map(Object.entries({ - dPoP: { - name: 'OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer - draft 11', - type: 'IETF OAuth Working Group draft', - url: 'https://tools.ietf.org/html/draft-ietf-oauth-dpop-11', - version: ['draft-11'], - }, jwtIntrospection: { name: 'JWT Response for OAuth Token Introspection - draft 10', type: 'IETF OAuth Working Group draft',