Add support for additional claims in DPoP proof payload

Gjermund Stensrud · Erwinvandervalk · commit b35342dd5d45 · 2025-05-19T14:34:43.000+02:00
diff --git a/access-token-management/src/AccessTokenManagement/AccessTokenHandler.cs b/access-token-management/src/AccessTokenManagement/AccessTokenHandler.cs
@@ -127,6 +127,8 @@ protected virtual async Task<bool> SetDPoPProofTokenAsync(HttpRequestMessage req
 
         if (!string.IsNullOrEmpty(token.DPoPJsonWebKey))
         {
+            request.Options.TryGetValue(new HttpRequestOptionsKey<IReadOnlyDictionary<string, string>>("Duende.AccessTokenManagement.DPoPProofAdditionalPayloadClaims"), out var additionalClaims);
+
             // create proof
             var proofToken = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest
             {
@@ -135,6 +137,7 @@ protected virtual async Task<bool> SetDPoPProofTokenAsync(HttpRequestMessage req
                 Method = request.Method.ToString(),
                 DPoPJsonWebKey = token.DPoPJsonWebKey,
                 DPoPNonce = dpopNonce,
+                AdditionalPayloadClaims = additionalClaims,
             });
 
             if (proofToken != null)
diff --git a/access-token-management/src/AccessTokenManagement/DPoPExtensions.cs b/access-token-management/src/AccessTokenManagement/DPoPExtensions.cs
@@ -77,4 +77,14 @@ public static string GetDPoPUrl(this HttpRequestMessage request)
     {
         return request.RequestUri!.Scheme + "://" + request.RequestUri!.Authority + request.RequestUri!.LocalPath;
     }
+
+    /// <summary>
+    /// Additional claims that will be added to the DPoP proof payload on generation
+    /// </summary>
+    /// <param name="request"></param>
+    /// <param name="customClaims"></param>
+    public static void AddDPoPProofAdditionalPayloadClaims(this HttpRequestMessage request, IDictionary<string, string> customClaims)
+    {
+        request.Options.TryAdd("Duende.AccessTokenManagement.DPoPProofAdditionalPayloadClaims", customClaims.AsReadOnly());
+    }
 }
diff --git a/access-token-management/src/AccessTokenManagement/DefaultDPoPProofService.cs b/access-token-management/src/AccessTokenManagement/DefaultDPoPProofService.cs
@@ -119,6 +119,14 @@ await _dPoPNonceStore.StoreNonceAsync(new DPoPNonceContext
             payload.Add(JwtClaimTypes.Nonce, nonce);
         }
 
+        if (request.AdditionalPayloadClaims?.Count > 0)
+        {
+            foreach (var claim in request.AdditionalPayloadClaims)
+            {
+                payload.Add(claim.Key, claim.Value);
+            }
+        }
+
         var handler = new JsonWebTokenHandler() { SetDefaultTimesOnTokenCreation = false };
         var key = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);
         var proofToken = handler.CreateToken(JsonSerializer.Serialize(payload), key, header);
diff --git a/access-token-management/src/AccessTokenManagement/Interfaces/IDPoPProofService.cs b/access-token-management/src/AccessTokenManagement/Interfaces/IDPoPProofService.cs
@@ -48,6 +48,11 @@ public class DPoPProofRequest
     /// The access token
     /// </summary>
     public string? AccessToken { get; set; }
+
+    /// <summary>
+    /// Additional claims to add to the DPoP proof payload
+    /// </summary>
+    public IReadOnlyDictionary<string, string>? AdditionalPayloadClaims { get; set; }
 }
 
 /// <summary>
diff --git a/access-token-management/test/AccessTokenManagement.Tests/ClientTokenManagementApiTests.cs b/access-token-management/test/AccessTokenManagement.Tests/ClientTokenManagementApiTests.cs
@@ -189,6 +189,32 @@ public async Task dpop_tokens_should_be_passed_to_api()
         proofToken.ShouldNotBeNull();
     }
 
+    [Fact]
+    public async Task when_additional_proof_payload_claims_are_defined_they_should_be_included_in_dpop_proof()
+    {
+        string? proofToken = null;
+
+        ApiHost.ApiInvoked += ctx =>
+        {
+            proofToken = ctx.Request.Headers["DPoP"].FirstOrDefault()?.ToString();
+        };
+        var client = _clientFactory.CreateClient("test");
+
+        var requestMessage = new HttpRequestMessage(HttpMethod.Get, ApiHost.Url("/test"));
+        requestMessage.AddDPoPProofAdditionalPayloadClaims(new Dictionary<string, string>() {
+            { "claim_one", "one" },
+            { "claim_two", "two" },
+        });
+
+        var apiResult = await client.SendAsync(requestMessage);
+
+        proofToken.ShouldNotBeNull();
+        var payload = Base64UrlEncoder.Decode(proofToken!.Split('.')[1]);
+        var values = JsonSerializer.Deserialize<Dictionary<string, object>>(payload);
+        values!["claim_one"].ToString().ShouldBe("one");
+        values!["claim_two"].ToString().ShouldBe("two");
+    }
+
     [Fact]
     public async Task when_api_issues_nonce_api_request_should_be_retried_with_new_nonce()
     {
diff --git a/access-token-management/test/AccessTokenManagement.Tests/PublicApiVerificationTests.VerifyPublicApi.verified.txt b/access-token-management/test/AccessTokenManagement.Tests/PublicApiVerificationTests.VerifyPublicApi.verified.txt
@@ -62,6 +62,7 @@
     }
     public static class DPoPExtensions
     {
+        public static void AddDPoPProofAdditionalPayloadClaims(this System.Net.Http.HttpRequestMessage request, System.Collections.Generic.IDictionary<string, string> customClaims) { }
         public static void ClearDPoPProofToken(this System.Net.Http.HttpRequestMessage request) { }
         public static string? GetDPoPNonce(this System.Net.Http.HttpResponseMessage response) { }
         public static string GetDPoPUrl(this System.Net.Http.HttpRequestMessage request) { }
@@ -88,6 +89,7 @@
     {
         public DPoPProofRequest() { }
         public string? AccessToken { get; set; }
+        public System.Collections.Generic.IReadOnlyDictionary<string, string>? AdditionalPayloadClaims { get; set; }
         public string DPoPJsonWebKey { get; set; }
         public string? DPoPNonce { get; set; }
         public string Method { get; set; }

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,8 @@ protected virtual async Task<bool> SetDPoPProofTokenAsync(HttpRequestMessage req`
`127`	`127`
`128`	`128`	`if (!string.IsNullOrEmpty(token.DPoPJsonWebKey))`
`129`	`129`	`{`
	`130`	`+ request.Options.TryGetValue(new HttpRequestOptionsKey<IReadOnlyDictionary<string, string>>("Duende.AccessTokenManagement.DPoPProofAdditionalPayloadClaims"), out var additionalClaims);`
	`131`	`+`
`130`	`132`	`// create proof`
`131`	`133`	`var proofToken = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest`
`132`	`134`	`{`
`@@ -135,6 +137,7 @@ protected virtual async Task<bool> SetDPoPProofTokenAsync(HttpRequestMessage req`
`135`	`137`	`Method = request.Method.ToString(),`
`136`	`138`	`DPoPJsonWebKey = token.DPoPJsonWebKey,`
`137`	`139`	`DPoPNonce = dpopNonce,`
	`140`	`+ AdditionalPayloadClaims = additionalClaims,`
`138`	`141`	`});`
`139`	`142`
`140`	`143`	`if (proofToken != null)`
Original file line number	Diff line number	Diff line change
`@@ -77,4 +77,14 @@ public static string GetDPoPUrl(this HttpRequestMessage request)`
`77`	`77`	`{`
`78`	`78`	`return request.RequestUri!.Scheme + "://" + request.RequestUri!.Authority + request.RequestUri!.LocalPath;`
`79`	`79`	`}`
	`80`	`+`
	`81`	`+ /// <summary>`
	`82`	`+ /// Additional claims that will be added to the DPoP proof payload on generation`
	`83`	`+ /// </summary>`
	`84`	`+ /// <param name="request"></param>`
	`85`	`+ /// <param name="customClaims"></param>`
	`86`	`+ public static void AddDPoPProofAdditionalPayloadClaims(this HttpRequestMessage request, IDictionary<string, string> customClaims)`
	`87`	`+ {`
	`88`	`+ request.Options.TryAdd("Duende.AccessTokenManagement.DPoPProofAdditionalPayloadClaims", customClaims.AsReadOnly());`
	`89`	`+ }`
`80`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@`
`62`	`62`	`}`
`63`	`63`	`public static class DPoPExtensions`
`64`	`64`	`{`
	`65`	`+ public static void AddDPoPProofAdditionalPayloadClaims(this System.Net.Http.HttpRequestMessage request, System.Collections.Generic.IDictionary<string, string> customClaims) { }`
`65`	`66`	`public static void ClearDPoPProofToken(this System.Net.Http.HttpRequestMessage request) { }`
`66`	`67`	`public static string? GetDPoPNonce(this System.Net.Http.HttpResponseMessage response) { }`
`67`	`68`	`public static string GetDPoPUrl(this System.Net.Http.HttpRequestMessage request) { }`
`@@ -88,6 +89,7 @@`
`88`	`89`	`{`
`89`	`90`	`public DPoPProofRequest() { }`
`90`	`91`	`public string? AccessToken { get; set; }`
	`92`	`+ public System.Collections.Generic.IReadOnlyDictionary<string, string>? AdditionalPayloadClaims { get; set; }`
`91`	`93`	`public string DPoPJsonWebKey { get; set; }`
`92`	`94`	`public string? DPoPNonce { get; set; }`
`93`	`95`	`public string Method { get; set; }`