The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.
Today’s security lingo is DPoP, so let’s discuss what the acronym stands for and where you can see and hear it used.
What is DPoP?
Overhearing the phrase DPoP might make one think about the meteoric rise of the Danish-Norwegian eurodance pop group, Aqua, and their famous smash hit “Barbie Girl”. But in security circles, DPoP stands for something entirely different. Want to know what DPoP stands for? Well, Barbie (or Ken), we're just getting started.
In the realm of OpenID Connect and OAuth, the acronym DPoP stands for Demonstrating Proof of Possession. DPoP is a security measure utilizing asymmetric keys to address token replay attacks by making it difficult for attackers to use stolen tokens.
DPoP specifies how to bind an asymmetric key stored within a JSON Web Key to an access token. The client must then prove possession of the private key to call the APIs, and your APIs can validate the cnf claim by comparing it to the thumbprint of the client’s public key in the JSON Web Key. If the access token were to leak, an attacker could not reuse the token without access to the private key that the client controls.
The mechanism by which the client proves control of the private key is by sending an additional JSON Web Token called a proof token on HTTP requests. This proof token is passed via the DPoP request header and contains the public portion of the JSON Web Key, which the client has signed with the corresponding private key.
Regarding Duende’s security products, Duende IdentityServer Enterprise supports DPoP as well as Duende.AccessTokenManagement for participating clients. Both elements of DPoP are explained in detail in our documentation and can help increase your solution's security posture against malicious parties.
And there you have it, feel comfortable knowing how and when to use DPoP in security conversations and what it means in context. Even better, for existing and future Duende customers, you now understand what DPoP is and can audit your existing security practices to see if DPoP is right for you. Now, let’s go party.
We hope you found this post enlightening. If there’s other security lingo you’re unsure about, please let us know in the comments, and we’ll be happy to explain. And while you’re here, please take a moment to explore our range of security products and join our community in our public discussions.