You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(service/auth): move DPoP enforcement into dpop.enforce config (DSPX-3397)
Enforcement lived at the top of the auth block (server.auth.enforceDPoP) while
every other DPoP knob is nested under server.auth.dpop. Consolidate it: add
server.auth.dpop.enforce and deprecate the old top-level field.
The old field keeps working during the migration window. Both are defaulted
bools, so mapstructure cannot distinguish "explicitly false" from "unset";
enforcement therefore uses OR semantics via a new dpopEnforced() helper
(DPoP.Enforce || EnforceDPoP), and config validation warns when the deprecated
field is set.
- config.go: add DPoPConfig.Enforce, deprecate AuthNConfig.EnforceDPoP, add
dpopEnforced(); update validateAuthNConfig warnings.
- authn.go: NewAuthenticator uses cfg.dpopEnforced().
- server.go: warning strings reference server.auth.dpop.enforce.
- example configs + docs/Configuring.md: use the nested dpop.enforce form;
keep testdata/all-no-config.yaml on the legacy key for back-compat coverage.
- tests: migrate to DPoP.Enforce and add TestDPoPEnforcement_Migration.
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
Copy file name to clipboardExpand all lines: docs/Configuring.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -125,7 +125,8 @@ Root level key `server`
125
125
| `auth.dpopskew` | The amount of time drift allowed between when the client generated a dpop proof and the server time. | `1h` | OPENTDF_SERVER_AUTH |
126
126
| `auth.skew` | The amount of time drift allowed between a tokens `exp` claim and the server time. | `1m` | OPENTDF_SERVER_AUTH_SKEW |
127
127
| `auth.public_client_id` | [DEPRECATED] The oidc client id. This is leveraged by otdfctl. | | OPENTDF_SERVER_AUTH_PUBLIC_CLIENT_ID |
128
-
| `auth.enforceDPoP` | If true, DPoP bindings on Access Tokens are enforced. | `false` | OPENTDF_SERVER_AUTH_ENFORCEDPOP |
128
+
| `auth.dpop.enforce` | If true, DPoP bindings on Access Tokens are enforced. | `false` | OPENTDF_SERVER_AUTH_DPOP_ENFORCE |
129
+
| `auth.enforceDPoP` | [DEPRECATED] Use `auth.dpop.enforce`. Still honored: DPoP is enforced when either field is true. | `false` | OPENTDF_SERVER_AUTH_ENFORCEDPOP |
129
130
| `cryptoProvider` | A list of public/private keypairs and their use. Described [below](#crypto-provider) | empty | |
0 commit comments