Skip to content

feat: Implement DPoP module#495

Open
BinoyOza-okta wants to merge 3 commits intomasterfrom
OKTA-747791
Open

feat: Implement DPoP module#495
BinoyOza-okta wants to merge 3 commits intomasterfrom
OKTA-747791

Conversation

@BinoyOza-okta
Copy link
Contributor

@BinoyOza-okta BinoyOza-okta commented Feb 3, 2026

feat: Implement DPoP (RFC 9449) authentication for Okta Python SDK

Complete implementation of DPoP (Demonstrating Proof-of-Possession) authentication
per RFC 9449, providing cryptographic binding of access tokens to client keys for
enhanced security against token theft and replay attacks.

BREAKING CHANGES: None - fully backward compatible (opt-in via dpopEnabled flag)

Core Implementation

New Files (3)

  • okta/dpop.py (372 lines) - DPoP proof generator with key management
  • okta/errors/dpop_errors.py (72 lines) - User-friendly error messages
  • tests/unit/test_dpop.py (425 lines) - Comprehensive unit tests (24 tests)

Modified Files (4)

  • okta/jwt.py (+150 lines) - Added DPoP JWT creation methods
  • okta/oauth.py (rewritten ~200 lines) - DPoP-aware OAuth flow with nonce handling
  • okta/config/config_validator.py (+70 lines) - DPoP configuration validation
  • okta/request_executor.py (+50 lines) - DPoP header injection and nonce management

Features

DPoP Proof Generation

  • RSA 2048-bit ephemeral key pairs
  • RFC 9449 compliant JWT structure (typ: dpop+jwt, alg: RS256, jwk)
  • Proper claims: jti, htm, htu, iat, ath (access token hash), nonce
  • SHA-256 + Base64url encoding for access token hash
  • Thread-safe with proper locking mechanisms

OAuth Integration

  • Automatic DPoP proof generation for token requests
  • First request without nonce, auto-retry with nonce on use_dpop_nonce error
  • Nonce extraction and storage from server responses
  • Token type detection (DPoP vs Bearer)
  • Bearer fallback detection with warnings

Request Enhancement

  • DPoP header injection for all API requests
  • Access token hash (ath) in proofs for API calls
  • x-okta-user-agent-extended: isDPoP:true header
  • Nonce update from 401/400 responses
  • Helpful DPoP error messages

Configuration

  • dpopEnabled: true/false (default: false, opt-in)
  • dpopKeyRotationInterval: seconds (default: 86400 / 24 hours)
  • Validation: requires PrivateKey authMode, valid rotation interval
  • Backward compatible: no changes needed for existing configurations

Security

  • Private keys never exposed in JWK
  • Public-only JWK components exported
  • Thread-safe key operations with asyncio.Lock
  • Safe key rotation (waits for active requests)
  • Nonce cleared on key rotation
  • RFC 9449 compliant security measures

Testing

Unit Tests

  • 24 comprehensive unit tests
  • 100% test pass rate (24/24 passing)

@BinoyOza-okta
feat: Implement DPoP module
8a4b03d 
- Add DPoPProofGenerator class for RFC 9449 DPoP proof generation
- URL parsing strips query/fragment from htu claim
- JWK export contains only public components (kty, n, e)
- Key rotation with active request tracking
- Implement RSA 2048-bit key generation and management
- Add access token hash computation (SHA-256 + base64url)
- Add nonce storage and management
- Thread-safe implementation with proper locking
- Comprehensive unit tests (24 tests, 100% passing)
RFC 9449 compliant implementation with security best practices.
- Complete implementation of DPoP (Demonstrating Proof-of-Possession) per RFC 9449
for enhanced OAuth 2.0 security. Includes nonce handling, key rotation, and
comprehensive error messages. All core features tested and production-ready.
semgrep-code-okta[bot]
semgrep-code-okta bot reviewed Feb 3, 2026
View reviewed changes
BinoyOza-okta and others added 2 commits February 4, 2026 02:14
@BinoyOza-okta @semgrep-code-okta
Update okta/dpop.py
ce357db 
Co-authored-by: semgrep-code-okta[bot] <205183498+semgrep-code-okta[bot]@users.noreply.github.com>
@BinoyOza-okta
- Fixed lint issue.
8767cd5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@manmohan-shaw-okta manmohan-shaw-okta Awaiting requested review from manmohan-shaw-okta

1 more reviewer

@semgrep-code-okta semgrep-code-okta[bot] semgrep-code-okta[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BinoyOza-okta