Example DPoP header encoding issues #4
Description
I'm working on fixing these values.
The base64 values I generated for the DPoP header have two errors:
The example base64 in Section 1.8. is incorrect:
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
DPoP: eyJhbGciOiJFUzI1NiJ9.eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkV\
TMjU2IiwiandrIjp7ImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoibWptR\
m1MZm9wVmkwZXRfYTZmZFhUTnJqYVUwR1dlZFN0Y3NfRzU4OEkyMCIsInkiOiJ\
sMFZwRXlSYzdTdUpfdHFhd2NaQ2VLLXVUOEVPVnF4N3NqTHJGeUJTUllZIn0sI\
m5vbmNlIjoiU3BseGxPQmVaUVFZYllTNld4U2JJQSJ9.cp8uN3kHAMS9fhGH7T\
vTSKwH5oNJzAeMhIrgD_HQHGhgt_N1xQHdHiMkn7AMj3UDkwoNOW4Qqak
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb
The base64 decodes to:
{"alg":"ES256"}
.
{"typ":"dpop+jwt","alg":"ES256","jwk":{"crv":"P-256","kty":"EC","x":"mjmFmLfopVi0et_a6fdXTNrjaU0GWedStcs_G588I20","y":"l0VpEyRc7SuJ_tqawcZCeK-uT8EOVqx7sjLrFyBSRYY"},"nonce":"SplxlOBeZQQYbYS6WxSbIA"}
.
<signature>
The nonce is set to the authorization code, not the base64 SHA256 hash of the authorization code. That is in the URL we specify code=SplxlOBeZQQYbYS6WxSbIA and we set the DPoP nonce=SplxlOBeZQQYbYS6WxSbIA, but it should be the DPoP nonce=B64(SHA256(SplxlOBeZQQYbYS6WxSbIA))
Additionally I will add language to note in the text that we are setting the DPoP nonce to the c_hash as to avoid confusion about the nonce being the ID Token nonce. This confused me when I was investigating this issues.
dpop_jkt should be b64
This shows dpop_jkt as hex 1f2e6338febe335e2cbaa7c7154c3cbdcfd8650f95c5fe7206bb6360e37f4b5a but it should be base64
GET /authorize?
response_type=code
&dpop_jkt=1f2e6338febe335e2cbaa7c7154c3cbdcfd8650f95c5fe7206bb6360e37f4b5a
&scope=openid%20profile%20email%20bound_key
&client_id=s6BhdRkqt3
&state=af0ifjsldkj
&nonce=2a50f9ea812f9bb4c8f7
&redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1
Host: server.example.com