Skip to content

DPoP JWK Thumbprint validation does not conform to RFC7638 #17079

New issue
New issue
Closed
Closed
DPoP JWK Thumbprint validation does not conform to RFC7638#17079
Assignees
jgrandja
Labels
status: duplicateA duplicate of another issue
@dkowis

Description

@dkowis
dkowis
opened on May 8, 2025

Describe the bug
The DPoP Thumbprint in the jkt claim is calculated according to RFC7638, and the spring implementation does a certificate thumbprint, not a JWK Thumbprint

To Reproduce

  1. Generate a DPoP Proof using: https://github.com/panva/openid-client
  2. This will create the jtk claim using a JWK Thumbprint according to the RFC
  3. Spring cannot validate it, and the DPoP Proof is rejected. :(

Expected behavior
The DPoP proof should be valid!

Sample

PR to follow shortly showing the difference and fix once validated, if we are unable to prove that it works, we'll create a sample repo.

Metadata

Metadata

Assignees

Labels

status: duplicateA duplicate of another issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions