Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Using DPoP to use access tokens securely in you...

Alexander Schwartz
December 25, 2024
5

Using DPoP to use access tokens securely in your Single Page Applications

OAuth 2.0 uses access tokens to grant access to secured resources. When using Single Page Applications, they are passed from browsers to the servers as bearer tokens using HTTP headers.

While they are secured in transit using TLS, those tokens could be stolen from a browser, replayed, or mis-used by a malicious or vulnerable server. OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) takes this one step further by equipping the client like your Single Page Application with a key pair so that it can show a proof when passing the access token, so no-one else can use the access token. DPoP is part of the FAPI 2.0 Security Profile by the OpenID Foundation. It promotes best practices on how to protect APIs exposing high-value and sensitive (personal and other) data, for example, in finance, e-health and e-government applications.

This talk will explain the concepts and demos how this can be implemented using Keycloak and Apache HTTP Server using mod_auth_openidc. We will also describe the current challenges, limitations and alternatives of the approach.

Alexander Schwartz

December 25, 2024
Tweet

Transcript

  1. Using DPoP to use access tokens securely in your Single

    Page Applications Université Libre de Bruxelles Campus du Solbosch, Brussels, Belgium 1 February 2025 Alexander Schwartz, Principal Software Engineer, Keycloak Maintainer @ Red Hat Takashi Norimatsu, Senior OSS Specialist, Keycloak Maintainer @ Hitachi, Ltd.