The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.
Today’s security lingo is DPoP, so let’s discuss what the acronym stands for and where you can see and hear it used.
What is DPoP?
Overhearing the phrase DPoP might make one think about the meteoric rise of the Danish-Norwegian eurodance pop group, Aqua, and their famous smash hit “Barbie Girl”. But in security circles, DPoP stands for something entirely different. Want to know what DPoP stands for? Well, Barbie (or Ken), we're just getting started.
In the realm of OpenID Connect and OAuth, the acronym DPoP stands for Demonstrating Proof of Possession. DPoP is a security measure utilizing asymmetric keys to address token replay attacks by making it difficult for attackers to use stolen tokens.
DPoP specifies how to bind an asymmetric key stored within a JSON Web Key to an access token. The client must then prove possession of the private key to call the APIs, and your APIs can validate the cnf claim by comparing it to the thumbprint of the client’s public key in the JSON Web Key. If the access token were to leak, an attacker could not reuse the token without access to the private key that the client controls.
The mechanism by which the client proves control of the private key is by sending an additional JSON Web Token called a proof token on HTTP requests. This proof token is passed via the DPoP request header and contains the public portion of the JSON Web Key, which the client has signed with the corresponding private key.
Regarding Duende’s security products, Duende IdentityServer Enterprise supports DPoP as well as Duende.AccessTokenManagement for participating clients. Both elements of DPoP are explained in detail in our documentation and can help increase your solution's security posture against malicious parties.
And there you have it, feel comfortable knowing how and when to use DPoP in security conversations and what it means in context. Even better, for existing and future Duende customers, you now understand what DPoP is and can audit your existing security practices to see if DPoP is right for you. Now, let’s go party.
Thanks for stopping by!
We hope this post helped you on your identity and security journey. If you need a hand with implementation, our docs are always open. For everything else, come hang out with the team and other developers on GitHub.
If you want to get early access to new features and products while collaborating with experts in security and identity standards, join us in our Duende Product Insiders program. And if you prefer your tech content in video form, our YouTube channel is the place to be. Don't forget to like and subscribe!
Questions? Comments? Just want to say hi? Leave a comment below and let's start a conversation.