Required ath claim is missing from DPoP header #3184
Description
Search terms you've used
dpop, ath
Impacted package
Which packages do you think might be impacted by the bug ?
- solid-client-authn-browser
- solid-client-authn-node
- solid-client-authn-core
- oidc-client-ext
- Other (please specify): ...
Bug description
To Reproduce
- Start the demo at /packages/browsser/examples/single/bundle
- Go to http://localhost:3113
- Log in your OpenID Provider (e.g. https://login.inrupt.com)
- Perform an authenticated request
Expected result
The last authenticated request should include both an Access Token in the Authorization header, and a JWT in the dpop header containing an ath claim, which is mandatory as per https://datatracker.ietf.org/doc/html/rfc9449#name-dpop-proof-jwt-syntax.
Actual result
The dpop JWT desn't have an ath claim.
Environment
Please run
$ npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers
System:
OS: Linux 6.2 Ubuntu 23.04 23.04 (Lunar Lobster)
CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-1270P
Memory: 18.11 GB / 31.05 GB
Container: Yes
Shell: 5.9 - /usr/bin/zsh
Binaries:
Node: 18.17.0 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/node
npm: 9.6.7 - /run/user/1000/fnm_multishells/231754_1697187935683/bin/npm
npmGlobalPackages:
corepack: 0.18.0
npm: 9.6.7
Additional information
The problem comes from the implementation of the DPoP signature here:
.