added support for dpop auth#450
Conversation
Signed-off-by: Tanish <tanish@okta.com>
aniket-okta
left a comment
There was a problem hiding this comment.
LGTM.
The DPoP implementation is solid, well-tested, and follows the spec closely. The changes are cleanly integrated and unlikely to disrupt existing usage. I recommend merging after a documentation update (if not already planned).
Suggestions
-
Documentation: Consider adding or updating SDK documentation to explain how to enable DPoP, expected configuration, and limitations.
-
Backward Compatibility: The changes seem to be backward compatible, but a quick check in the changelog/upgrade guide would be beneficial for users upgrading the SDK.
-
Error Handling: The error handling for invalid private keys is robust in tests, but ensure that user-facing error messages are clear in production (not leaking sensitive data).
PR Checklist
Please check if your PR fulfills the following requirements:
PR Type
What kind of change does this PR introduce?
What is the current behavior?
Demonstrating Proof-of-Possession is enabled by default for API Services but this feature is not supported in the SDK. Creating a new Okta API Service with a private-public key pair will not work unless the checkbox for DPoP is turned off. Calling any API results in 403 (invalid token) and on the System Log side it looks like invalid_dpop_proof error. SDK works as expected with DPoP turned off
Issue Number: N/A
What is the new behavior?
Added support for DPOP
Does this PR introduce a breaking change?
Other information
Reviewers