enable and fix dpop

Author: dmihalcik-virtru

.github/workflows/roundtrip/demo-idp.sh

@@ -1,4 +1,3 @@
-
 : "${KC_VERSION:=24.0.3}"
 : "${KC_BROWSERTEST_CLIENT_SECRET:=$(uuidgen)}"
 
@@ -8,11 +7,23 @@ unzip kc.zip -d keycloak-${KC_VERSION}
 
 export PATH=$PATH:$(pwd)/keycloak-${KC_VERSION}/bin
 
-kcadm.sh config credentials --server http://localhost:65432/auth --realm master --user admin << EOF
+kcadm.sh config credentials --server http://localhost:65432/auth --realm master --user admin <<EOF
 changeme
 EOF
 
-kcadm.sh create clients -r opentdf -s clientId=browsertest -s enabled=true -s 'redirectUris=["http://localhost:65432/"]' -s consentRequired=false -s standardFlowEnabled=true -s directAccessGrantsEnabled=true -s serviceAccountsEnabled=false -s publicClient=true -s protocol=openid-connect
+kcadm.sh create clients -r opentdf \
+  -s clientId=browsertest \
+  -s enabled=true \
+  -s 'redirectUris=["http://localhost:65432/"]' \
+  -s consentRequired=false \
+  -s standardFlowEnabled=true \
+  -s directAccessGrantsEnabled=true \
+  -s serviceAccountsEnabled=false \
+  -s publicClient=true \
+  -s protocol=openid-connect \
+  -s 'protocolMappers=[{"name":"aud","protocol":"openid-connect","protocolMapper":"oidc-audience-mapper","consentRequired":false,"config":{"access.token.claim":"true","included.custom.audience":"http://localhost:65432"}}]' \
+  -s 'attributes={"dpop.bound.access.tokens":"true"}'
+
 kcadm.sh create users -r opentdf -s username=user1 -s enabled=true
 kcadm.sh set-password -r opentdf --username user1 --new-password testuser123
 

.github/workflows/roundtrip/docker-compose.yaml

@@ -1,10 +1,12 @@
 services:
   keycloak:
     # This is kc 24.0.1 with opentdf protocol mapper on board
-    image: ghcr.io/opentdf/keycloak:sha-8a6d35a
+    image: quay.io/keycloak/keycloak:24.0
     restart: always
-    command: ["start-dev", "--log-level=DEBUG"]
+      # To enable debugging, use this CMD and also set and expose the DEBUG_PORT
+    # command: ["--debug", "start-dev", "--log-level=DEBUG"]
     environment:
+      # DEBUG_PORT: "*:30012"
       KC_DB_VENDOR: postgres
       KC_DB_URL_HOST: keycloakdb
       KC_DB_URL_PORT: 5432
@@ -27,6 +29,7 @@ services:
       KEYCLOAK_ADMIN_PASSWORD: changeme
     ports:
       - "8888:8888"
+      # - "30012:30012"
     healthcheck:
       test: ['CMD-SHELL', '[ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { public static void main(String[] args) throws java.lang.Throwable { System.exit(java.net.HttpURLConnection.HTTP_OK == ((java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection()).getResponseCode() ? 0 : 1); } }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java http://localhost:8888/auth/health/live']
       interval: 5s

lib/src/auth/auth.ts

@@ -80,7 +80,7 @@ export async function reqSignature(
  * ephemeral key, to be included in
  * [the claims object](https://github.com/opentdf/spec/blob/main/schema/ClaimsObject.md).
  */
-export abstract class AuthProvider {
+export type AuthProvider = {
   /**
    * This function should be called if the consumer of this auth provider
    * changes the client keypair, or wishes to set the keypair after creating
@@ -94,15 +94,15 @@ export abstract class AuthProvider {
    * @param signingKey the client signing key pair. Will be bound
    * to the OIDC token and require a DPoP header, when set.
    */
-  abstract updateClientPublicKey(clientPubkey: string, signingKey?: CryptoKeyPair): Promise<void>;
+  updateClientPublicKey(clientPubkey: string, signingKey?: CryptoKeyPair): Promise<void>;
 
   /**
    * Augment the provided http request with custom auth info to be used by backend services.
    *
    * @param httpReq - Required. An http request pre-populated with the data public key.
    */
-  abstract withCreds(httpReq: HttpRequest): Promise<HttpRequest>;
-}
+  withCreds(httpReq: HttpRequest): Promise<HttpRequest>;
+};
 
 /**
  * An AuthProvider encapsulates all logic necessary to authenticate to a backend service, in the

lib/src/auth/oidc-externaljwt-provider.ts

@@ -1,4 +1,4 @@
-import { AuthProvider, type HttpRequest } from './auth.js';
+import { type AuthProvider, type HttpRequest } from './auth.js';
 import { AccessToken, type ExternalJwtCredentials } from './oidc.js';
 
 export class OIDCExternalJwtProvider implements AuthProvider {

lib/src/auth/oidc-refreshtoken-provider.ts

@@ -1,4 +1,4 @@
-import { AuthProvider, type HttpRequest } from './auth.js';
+import { type AuthProvider, type HttpRequest } from './auth.js';
 import { AccessToken, type RefreshTokenCredentials } from './oidc.js';
 
 export class OIDCRefreshTokenProvider implements AuthProvider {

lib/src/auth/providers.ts

@@ -6,7 +6,7 @@ import {
 } from './oidc.js';
 import { OIDCClientCredentialsProvider } from './oidc-clientcredentials-provider.js';
 import { OIDCExternalJwtProvider } from './oidc-externaljwt-provider.js';
-import { AuthProvider } from './auth.js';
+import { type AuthProvider } from './auth.js';
 import { OIDCRefreshTokenProvider } from './oidc-refreshtoken-provider.js';
 import { isBrowser } from '../utils.js';
 

lib/src/index.ts

@@ -10,7 +10,7 @@ import {
 } from './nanotdf/index.js';
 import { keyAgreement, extractPublicFromCertToCrypto } from './nanotdf-crypto/index.js';
 import { TypedArray, createAttribute, Policy } from './tdf/index.js';
-import { AuthProvider } from './auth/auth.js';
+import { type AuthProvider } from './auth/auth.js';
 
 async function fetchKasPubKey(kasUrl: string): Promise<string> {
   const kasPubKeyResponse = await fetch(`${kasUrl}/kas_public_key?algorithm=ec:secp256r1`);

lib/src/kas.ts

@@ -1,4 +1,4 @@
-import { AuthProvider } from './auth/auth.js';
+import { type AuthProvider } from './auth/auth.js';
 
 export class RewrapRequest {
   signedRequestToken = '';

lib/tdf3/index.ts

@@ -24,7 +24,13 @@ import {
   SplitKey,
   type EncryptionInformation,
 } from './src/models/encryption-information.js';
-import { AuthProvider, AppIdAuthProvider, type HttpMethod, HttpRequest } from '../src/auth/auth.js';
+import {
+  AuthProvider,
+  AppIdAuthProvider,
+  type HttpMethod,
+  HttpRequest,
+  withHeaders,
+} from '../src/auth/auth.js';
 import { AesGcmCipher } from './src/ciphers/aes-gcm-cipher.js';
 import {
   NanoTDFClient,
@@ -39,6 +45,7 @@ import { type Chunker } from './src/utils/chunkers.js';
 export type {
   AlgorithmName,
   AlgorithmUrn,
+  AuthProvider,
   Chunker,
   CryptoService,
   DecryptResult,
@@ -55,7 +62,6 @@ export {
   AesGcmCipher,
   Algorithms,
   AppIdAuthProvider,
-  AuthProvider,
   AuthProviders,
   Binary,
   Client,
@@ -77,6 +83,7 @@ export {
   TDF3Client,
   clientType,
   createSessionKeys,
+  withHeaders,
   version,
 };
 

lib/tdf3/src/client/index.ts

@@ -24,7 +24,12 @@ import {
 import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-provider.js';
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService, PemKeyPair } from '../crypto/declarations.js';
-import { AuthProvider, AppIdAuthProvider, HttpRequest } from '../../../src/auth/auth.js';
+import {
+  type AuthProvider,
+  AppIdAuthProvider,
+  HttpRequest,
+  withHeaders,
+} from '../../../src/auth/auth.js';
 import EAS from '../../../src/auth/Eas.js';
 import { validateSecureUrl } from '../../../src/utils.js';
 
@@ -119,6 +124,7 @@ export interface ClientConfig {
   organizationName?: string;
   clientId?: string;
   dpopEnabled?: boolean;
+  dpopKeys?: Promise<CryptoKeyPair>;
   kasEndpoint?: string;
   /**
    * List of allowed KASes to connect to for rewrap requests.
@@ -152,18 +158,22 @@ export async function createSessionKeys({
   cryptoService,
   dpopEnabled,
   keypair,
+  dpopKeys,
 }: {
   authProvider?: AuthProvider | AppIdAuthProvider;
   cryptoService: CryptoService;
   dpopEnabled?: boolean;
   keypair?: PemKeyPair;
+  dpopKeys?: Promise<CryptoKeyPair>;
 }): Promise<SessionKeys> {
   //If clientconfig has keypair, assume auth provider was already set up with pubkey and bail
   const k2 =
     keypair ?? (await cryptoService.cryptoToPemPair(await cryptoService.generateKeyPair()));
   let signingKeys;
 
-  if (dpopEnabled) {
+  if (dpopKeys) {
+    signingKeys = await dpopKeys;
+  } else if (dpopEnabled) {
     signingKeys = await crypto.subtle.generateKey(rsaPkcs1Sha256(), true, ['sign']);
   }
 
@@ -251,7 +261,7 @@ export class Client {
   constructor(config: ClientConfig) {
     const clientConfig = { ...defaultClientConfig, ...config };
     this.cryptoService = clientConfig.cryptoService;
-    this.dpopEnabled = !!clientConfig.dpopEnabled;
+    this.dpopEnabled = !!(clientConfig.dpopEnabled || clientConfig.dpopKeys);
 
     clientConfig.readerUrl && (this.readerUrl = clientConfig.readerUrl);
 
@@ -316,16 +326,13 @@ export class Client {
         });
       }
     }
-    if (clientConfig.keypair) {
-      this.sessionKeys = Promise.resolve({ keypair: clientConfig.keypair });
-    } else {
-      this.sessionKeys = createSessionKeys({
-        authProvider: this.authProvider,
-        cryptoService: this.cryptoService,
-        dpopEnabled: this.dpopEnabled,
-        keypair: clientConfig.keypair,
-      });
-    }
+    this.sessionKeys = createSessionKeys({
+      authProvider: this.authProvider,
+      cryptoService: this.cryptoService,
+      dpopEnabled: this.dpopEnabled,
+      dpopKeys: clientConfig.dpopKeys,
+      keypair: clientConfig.keypair,
+    });
     if (clientConfig.kasPublicKey) {
       this.kasPublicKey = Promise.resolve({
         url: this.kasEndpoint,
@@ -535,12 +542,14 @@ export class Client {
   }
 }
 
+export type { AuthProvider };
+
 export {
-  AuthProvider,
   AppIdAuthProvider,
   DecryptParamsBuilder,
   DecryptSource,
   EncryptParamsBuilder,
   HttpRequest,
   fromDataSource,
+  withHeaders,
 };