Package Exports
- dpop
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (dpop) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
DPoP
Browser-focused implementation of OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer - draft-ietf-oauth-dpop-03.
Usage
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>it's dpop time!</title>
<script type="module">
import DPoP, { generateKeyPair } from 'https://cdn.jsdelivr.net/npm/dpop@^0.6.0';
const alg = 'ES256'; // see below for other supported JWS algorithms
(async () => {
const keypair = await generateKeyPair(alg);
// Access Token Request
const accessTokenRequestProof = await DPoP(keypair, alg, 'https://op.example.com/token', 'POST');
// Protected Resource Access
const accessTokenValue = 'W0lFSOAgL4oxWwnFtigwmXtL3tHNDjUCXVRasB3hQWahsVvDb0YX1Q2fk7rMJ-oy';
const protectedResourceAccessProof = await DPoP(keypair, alg, 'https://rs.example.com/resource', 'GET', accessTokenValue);
})();
</script>
</head>
</html>Note: Storage of the crypto key pair is not included, use your existing abstraction over IndexedDB to store the CryptoKey instances.
API
default module export
function DPoP(keypair: CryptoKeyPair, alg: string, htu: string, htm: string, accessToken?: string, additional?: object) => Promise<string>;
generateKeyPair named export
function generateKeyPair(alg: string): Promise<CryptoKeyPair>
Supported JWS Algorithms
| JWS Algorithms | Supported | |
|---|---|---|
| ECDSA | ✓ | ES256, ES384, ES512 |
| RSASSA-PSS | ✓ | PS256, PS384, PS512 |
| RSASSA-PKCS1-v1_5 | ✓ | RS256, RS384, RS512 |
Other JWS algorithms are either not eligible for use with DPoP or unsupported by the Web Cryptography API.
Prerequisites
Requires Web Cryptography API, specifically: