├── README.md
├── LICENSE
└── index.html


/README.md:
--------------------------------------------------------------------------------
 1 | OAuth DPoP Demo in Vanilla JS
 2 | =============================
 3 | 
 4 | https://oauth.net/2/dpop/
 5 | 
 6 | DPoP is a proof-of-possession technique for binding access tokens to a private key. The client signs each request to the authorization server and resource server with a private key and sends a DPoP proof in the request header.
 7 | 
 8 | This is an implementation of DPoP in JavaScript with no external libraries used. Because of this, the code is more verbose than you would typically see in an application that uses a DPoP library, but is a demonstration of what it takes to create DPoP proofs.
 9 | 
10 | For a more thorough implementation that is suitable for production use, see [panva/dpop](https://github.com/panva/dpop).
11 | 
12 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2023 Aaron Parecki
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.


--------------------------------------------------------------------------------
/index.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <title>OAuth DPoP in Vanilla JS</title>
  3 | <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
  4 | 
  5 | 
  6 | 
  7 | 
  8 | <script>
  9 | // Configure your application and authorization server details
 10 | var config = {
 11 |     client_id: "",
 12 |     redirect_uri: "http://localhost:8080/",
 13 |     authorization_endpoint: "https://dev-xxxxxx.okta.com/oauth2/default/v1/authorize",
 14 |     token_endpoint: "https://dev-xxxxxx.okta.com/oauth2/default/v1/token",
 15 |     requested_scopes: "openid"
 16 | };
 17 | </script>
 18 | 
 19 | 
 20 | 
 21 | 
 22 | <div class="flex-center full-height">
 23 |     <div class="content">
 24 |         <a href="pkce.html" id="start">Click to Sign In</a>
 25 |         <div id="token" class="hidden">
 26 |             <h2>Access Token</h2>
 27 |             <div id="access_token" class="code"></div>
 28 |         </div>
 29 |         <div id="error" class="hidden">
 30 |             <h2>Error</h2>
 31 |             <div id="error_details" class="code"></div>
 32 |         </div>
 33 |     </div>
 34 | </div>  
 35 | 
 36 | 
 37 | 
 38 | <script>
 39 | 
 40 | //////////////////////////////////////////////////////////////////////
 41 | // OAUTH REQUEST
 42 | 
 43 | // Initiate the Authorization Code flow when the link is clicked
 44 | document.getElementById("start").addEventListener("click", async function(e){
 45 |     e.preventDefault();
 46 | 
 47 |     
 48 |     // Create and store a random "state" value
 49 |     var state = generateRandomString();
 50 |     localStorage.setItem("pkce_state", state);
 51 | 
 52 | 
 53 | 
 54 |     // Create and store a new PKCE code_verifier (the plaintext random secret)
 55 |     var code_verifier = generateRandomString();
 56 |     localStorage.setItem("pkce_code_verifier", code_verifier);
 57 | 
 58 | 
 59 | 
 60 |     // Hash and base64-urlencode the secret to use as the challenge
 61 |     var code_challenge = await pkceChallengeFromVerifier(code_verifier);
 62 | 
 63 |     // Build the authorization URL
 64 |     var url = config.authorization_endpoint 
 65 |         + "?response_type=code"
 66 |         + "&client_id="+encodeURIComponent(config.client_id)
 67 |         + "&state="+encodeURIComponent(state)
 68 |         + "&scope="+encodeURIComponent(config.requested_scopes)
 69 |         + "&redirect_uri="+encodeURIComponent(config.redirect_uri)
 70 |         + "&code_challenge="+encodeURIComponent(code_challenge)
 71 |         + "&code_challenge_method=S256"
 72 |         ;
 73 | 
 74 | 
 75 |     // Redirect to the authorization server
 76 |     window.location = url;
 77 | });
 78 | 
 79 | 
 80 | //////////////////////////////////////////////////////////////////////
 81 | // OAUTH REDIRECT HANDLING
 82 | 
 83 | 
 84 | // Handle the redirect back from the authorization server and
 85 | // get an access token from the token endpoint
 86 | 
 87 | var q = parseQueryString(window.location.search.substring(1));
 88 | 
 89 | // Check if the server returned an error string
 90 | if(q.error) {
 91 |     alert("Error returned from authorization server: "+q.error);
 92 |     document.getElementById("error_details").innerText = q.error+"\n\n"+q.error_description;
 93 |     document.getElementById("error").classList = "";
 94 | }
 95 | 
 96 | 
 97 | 
 98 | // If the server returned an authorization code, attempt to exchange it for an access token
 99 | if(q.code) {
100 | 
101 | 
102 |     // Verify state matches what we set at the beginning
103 |     if(localStorage.getItem("pkce_state") != q.state) {
104 |         alert("Invalid state");
105 |     } else {
106 | 
107 |         // Retrieve the PKCE code verifier from localstorage
108 |         const code_verifier = localStorage.getItem("pkce_code_verifier");
109 | 
110 |         // The success handler will be called on an HTTP 200 response
111 |         var successResponse = function(response, body) {
112 | 
113 |             // Initialize your application now that you have an access token.
114 |             // Here we just display it in the browser.
115 |             document.getElementById("access_token").innerText = body.access_token;
116 |             document.getElementById("start").classList = "hidden";
117 |             document.getElementById("token").classList = "";
118 | 
119 |             // Replace the history entry to remove the auth code from the browser address bar
120 |             window.history.replaceState({}, null, "/index.html");
121 | 
122 |             document.getElementById("error_details").innerText = '';
123 |             document.getElementById("error").classList = "hidden";
124 | 
125 |         };
126 | 
127 |         var errorResponse = function(response, error) {
128 |             // The first token request will fail and include a nonce in the header
129 |             const nonce = response.headers.get('dpop-nonce');
130 | 
131 |             if(nonce && error.error == 'use_dpop_nonce') {
132 |                 // Try the request again
133 |                 sendPostRequest(config.token_endpoint, {
134 |                     grant_type: "authorization_code",
135 |                     code: q.code,
136 |                     client_id: config.client_id,
137 |                     redirect_uri: config.redirect_uri,
138 |                     code_verifier: code_verifier,
139 |                 }, successResponse, errorResponse, nonce);
140 |             }
141 | 
142 |             // This could be an error response from the OAuth server, or an error because the 
143 |             // request failed such as if the OAuth server doesn't allow CORS requests
144 |             document.getElementById("error_details").innerText = error.error+"\n\n"+error.error_description;
145 |             document.getElementById("error").classList = "";
146 |         }
147 | 
148 | 
149 |         // Exchange the authorization code for an access token
150 |         sendPostRequest(config.token_endpoint, {
151 |             grant_type: "authorization_code",
152 |             code: q.code,
153 |             client_id: config.client_id,
154 |             redirect_uri: config.redirect_uri,
155 |             code_verifier: code_verifier,
156 |         }, successResponse, errorResponse);
157 |     }
158 | 
159 | 
160 | 
161 | 
162 |     // Clean these up since we don't need them anymore
163 |     localStorage.removeItem("pkce_state");
164 |     localStorage.removeItem("pkce_code_verifier");
165 | }
166 | 
167 | 
168 | 
169 | 
170 | 
171 | //////////////////////////////////////////////////////////////////////
172 | // DPOP FUNCTIONS
173 | 
174 | 
175 | // Return a DPoP JWT for an HTTP request
176 | async function DPoP(method, url, nonce, access_token) {
177 |     var key = await loadKey();
178 | 
179 |     var claims = {
180 |         htm: method,
181 |         htu: url,
182 |         iat: Math.floor(Date.now()/1000),
183 |         jti: generateRandomString(),
184 |     };
185 | 
186 |     if(nonce) {
187 |         claims.nonce = nonce;
188 |     }
189 | 
190 |     if(access_token) {
191 |         claims.ath = base64urlencode(await crypto.subtle.digest('SHA-256', strToBuf(access_token)));
192 |     }
193 | 
194 |     return jwt({
195 |         alg: 'RS256',
196 |         typ: 'dpop+jwt',
197 |         jwk: await publicJwk(key.publicKey),
198 |     }, claims,
199 |     key.privateKey);
200 | }
201 | 
202 | 
203 | // Make a POST request and parse the response as JSON
204 | async function sendPostRequest(url, params, success, error, nonce=null) {
205 |     var dPoPProof = await DPoP('POST', url, nonce);
206 |     console.log(dPoPProof);
207 | 
208 |     const formData = new FormData();
209 |     for( var key in params ) {
210 |         formData.append(key, params[key]);
211 |     }
212 | 
213 |     const headers = new Headers({
214 |         'DPoP': dPoPProof,
215 |     });
216 | 
217 |     const response = await fetch(url, {
218 |         method: 'POST',
219 |         cache: 'no-cache',
220 |         headers: headers,
221 |         body: new URLSearchParams(formData),
222 |     });
223 | 
224 |     const body = await response.json();
225 | 
226 |     if(response.status == 200) {
227 |         success(response, body);
228 |     } else {
229 |         error(response, body);
230 |     }
231 | }
232 | 
233 | 
234 | 
235 | // Generate a new non-exportable private key
236 | async function generateKeyPair() {
237 |     algorithm = {
238 |         name: 'RSASSA-PKCS1-v1_5',
239 |         hash: 'SHA-256',
240 |         modulusLength: 2048,
241 |         publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
242 |     };
243 | 
244 |     // The "false" here makes it non-exportable
245 |     // https://caniuse.com/mdn-api_subtlecrypto_generatekey
246 |     return crypto.subtle.generateKey(algorithm, false, ['sign', 'verify']);
247 | }
248 | 
249 | // Wrapper function for IndexedDB to open the database and run an operation
250 | // https://caniuse.com/indexeddb
251 | function callOnStore(fn_) {
252 |     console.log("Opening Database");
253 |     var open = window.indexedDB.open("KeyDatabase", 1);
254 |     open.onupgradeneeded = function() {
255 |         console.log("Upgrading database");
256 |         var db = open.result;
257 |         var store = db.createObjectStore("ObjectStore", {keyPath: "id"});
258 |     };
259 |     open.onsuccess = function() {
260 |         console.log("Success opening database");
261 |         // Start a new transaction
262 |         var db = open.result;
263 |         var tx = db.transaction("ObjectStore", "readwrite");
264 |         var store = tx.objectStore("ObjectStore");
265 | 
266 |         fn_(store);
267 | 
268 |         // Close the db when the transaction is done
269 |         tx.oncomplete = function() {
270 |             // console.log("Transaction complete");
271 |             db.close();
272 |         };
273 |     }
274 |     open.onerror = function() {
275 |         console.log("Error opening database");
276 |     }
277 | }
278 | 
279 | // Generate a new private key and store in IndexedDB
280 | async function generateAndSaveKey() {
281 |     var key = await generateKeyPair();
282 |     console.log("Generated key", key);
283 | 
284 |     callOnStore(function(store){
285 | 
286 |         store.put({id: 1, key: key});
287 |         console.log("Saved Key");
288 | 
289 |     });
290 | }
291 | 
292 | // Retrieve the handle to the private key from IndexedDB
293 | function loadKey() {
294 |     return new Promise(key => {
295 |         callOnStore(function(store){
296 |             console.log("Attempting to load key");
297 |             var getData = store.get(1);
298 |             getData.onsuccess = async function() {
299 |                 // console.log("Key loaded");
300 |                 console.log(getData.result);
301 |                 key(getData.result.key);
302 |             }
303 |         });
304 |     });
305 | }
306 | 
307 | // Build a JWT in Vanilla JS
308 | // https://caniuse.com/mdn-api_subtlecrypto_sign
309 | async function jwt(header, claims, key) {
310 |     const input = `${base64urlencode(strToBuf(JSON.stringify(header)))}.${base64urlencode(strToBuf(JSON.stringify(claims)))}`;
311 |     const signature = base64urlencode(await crypto.subtle.sign({ name: key.algorithm.name }, key, strToBuf(input)));
312 |     return `${input}.${signature}`;
313 | }
314 | 
315 | // Create JWK-formatted JSON of the public key
316 | async function publicJwk(key) {
317 |     // https://caniuse.com/mdn-api_subtlecrypto_exportkey
318 |     const { kty, e, n, x, y, crv } = await crypto.subtle.exportKey('jwk', key);
319 |     return { kty, crv, e, n, x, y};
320 | }
321 | 
322 | 
323 | 
324 | 
325 | //////////////////////////////////////////////////////////////////////
326 | // GENERAL HELPER FUNCTIONS
327 | 
328 | 
329 | 
330 | // Parse a query string into an object
331 | function parseQueryString(string) {
332 |     if(string == "") { return {}; }
333 |     var segments = string.split("&").map(s => s.split("=") );
334 |     var queryString = {};
335 |     segments.forEach(s => queryString[s[0]] = s[1]);
336 |     return queryString;
337 | }
338 | 
339 | 
340 | // Generate a secure random string using the browser crypto functions
341 | function generateRandomString() {
342 |     var array = new Uint32Array(28);
343 |     window.crypto.getRandomValues(array);
344 |     return Array.from(array, dec => ('0' + dec.toString(16)).substr(-2)).join('');
345 | }
346 | 
347 | 
348 | 
349 | // Calculate the SHA256 hash of the input text. 
350 | // Returns a promise that resolves to an ArrayBuffer
351 | function sha256(plain) {
352 |     return window.crypto.subtle.digest('SHA-256', strToBuf(plain));
353 | }
354 | 
355 | 
356 | // Base64-urlencode the input string
357 | function base64urlencode(str) {
358 |     // Convert the ArrayBuffer to string using Uint8 array to conver to what btoa accepts.
359 |     // btoa accepts chars only within ascii 0-255 and base64 encodes them.
360 |     // Then convert the base64 encoded to base64url encoded
361 |     //   (replace + with -, replace / with _, trim trailing =)
362 |     return btoa(String.fromCharCode.apply(null, new Uint8Array(str)))
363 |         .replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
364 | }
365 | 
366 | 
367 | // Return the base64-urlencoded sha256 hash for the PKCE challenge
368 | async function pkceChallengeFromVerifier(v) {
369 |     hashed = await sha256(v);
370 |     return base64urlencode(hashed);
371 | }
372 | 
373 | 
374 | function strToBuf(string) {
375 |     const encoder = new TextEncoder();
376 |     return encoder.encode(string);
377 | }
378 | 
379 | 
380 | 
381 | 
382 | 
383 | </script>
384 | 
385 | <style>
386 | body {
387 |   padding: 0;
388 |   margin: 0;
389 |   min-height: 100vh;
390 |   font-family: arial, sans-serif;
391 | }
392 | @media(max-width: 400px) {
393 |   body {
394 |     padding: 10px;
395 |   }
396 | }
397 | .full-height {
398 |   min-height: 100vh;
399 | }
400 | .flex-center {
401 |   align-items: center;
402 |   display: flex;
403 |   justify-content: center;
404 | }
405 | .content {
406 |   max-width: 400px;
407 | }
408 | h2 {
409 |   text-align: center;
410 | }
411 | .code {
412 |   font-family: "Courier New", "Courier", monospace;
413 |   width: 100%;
414 |   padding: 4px;
415 |   border: 1px #ccc solid;
416 |   border-radius: 4px;
417 |   word-break: break-all;
418 | }
419 | .hidden {
420 |   display: none;
421 | }
422 | </style>
423 | 
424 | </html>
425 | 


--------------------------------------------------------------------------------