Support for OAuth2 Demonstrating Proof of Possession

[sberyozkin]

Fixes #42115.

This PR adds a complete DPoP token verification support, with tests.

DPoP is currently restricted to the public clients, which explains why the test structure is created around FrontendResource emulating SPA.

Support for the custom DPoP nonce providers can be offered in the future.

All in all, the implementation is just a translation of https://datatracker.ietf.org/doc/html/rfc9449#name-checking-dpop-proofs, goes via every recommended verification step:

• DPoP header exists
• Its HTTP method and URIs are correct
• It has non-private public JWK key and the proof signature is correct
• It has an access token hash which matches the provided access token
• The access token confirmation claim has a JWK thumbprint which matches the DPoP's public jwk thumbprint

Some tuning for the URI matches might be needed going forward but should work fine for typical cases.

To support the test cases I updated Keycloak Dev service to enable experimental features for users be able to use DPoP, etc.

The actual tests can be improved further, I'd like to enable in a separate PR to report exception causes not only in devmode but also in test mode.

[github-actions]

🙈 The PR is closed and the preview is expired.

[sberyozkin]

Oops, I realized I forgot starting containers for testing a few negative rests I added today

[sberyozkin]

I mistyped the RSA key size (2024 as opposed to 2048), now the tests should be fine

[sberyozkin]

Sorry, needs more work, some side-effects likely related to enabling all features in the devservice

[sberyozkin]

I ended up adding a dedicated features property to the Keycloak devservice config. One can also use the custom start command but if all the users want is to enable, for example, the dpop feature, then features=dpop will be a much simpler way to achieve it compared to copying the rest of the start command options...

[quarkus-bot]

Status for workflow Quarkus Documentation CI

This is the status report for running Quarkus Documentation CI on commit 802f60c.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

Warning

There are other workflow runs running, you probably need to wait for their status before merging.

[quarkus-bot]

Status for workflow Quarkus CI

This is the status report for running Quarkus CI on commit 802f60c.

✅ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

[sberyozkin]

That could've been a great new feature for LTS

[sberyozkin]

Also CC @mposolda

[sberyozkin]

Just to clarify that at the test level, FrontendResource emulates a public SPA client which authenticates users to Keycloak and then creates one DPoP proof to complete the authorization code flow with Keycloak and then passes the token with another DPoP proof to Quarkus - this PR is only about verifying the DPoP proof and the bound access token at the Quarkus end

[pedroigor]

@sberyozkin LGTM

[sberyozkin]

Thanks very much for the time, @pedroigor.

@mposolda, you are always welcome to comment as well, I'll CC you when I open a follow up PR to allow the registration of the custom DPoP Nonce providers

[sberyozkin]

@gsmet, Hi, it is quite an important feature, if it is not too late yet then please consider for a backport, but please don't hesitate to drop the backport label if you feel it may be too sensitive to backport