Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

DPoP Package Updates

Joe DeCock
Two blue circles

Today we are publishing two NuGet packages related to DPoP:

  • Duende.IdentityServer 7.0.8, which addresses a low-severity security issue in our DPoP
    support for local APIs (CVE-2024-49755), and
  • Duende.AspNetCore.Authentication.JwtBearer 0.1.3, the first preview of a new series of
    ASP.NET Core extensions that help you leverage advanced IdentityServer features - in
    this case DPoP support for APIs.

We encourage everyone using IdentityServer 7.0.0 and later to update to IdentityServer
7.0.8, but do note that most IdentityServer implementations are not affected. In this blog
post, we'll discuss the issue in more detail and the specific circumstances where this
vulnerability applies, as well as show how to use the new package to implement DPoP in
your ASP.NET APIs.

Nature of Vulnerability and Impact

We were recently made aware of a missing validation step in our DPoP support that would
allow an attacker to use leaked DPoP access tokens at local API endpoints defined within
an IdentityServer implementation, even without possessing the private key for signing
proof tokens. Thank you to Jonathan Antoine for raising this issue. As always, we
encourage members of the community to raise security sensitive issues with us privately by
sending email to security@duendesoftware.com.

This issue only impacts custom endpoints within an IdentityServer implementation that have
explicitly used the LocalAPIAuthenticationHandler for authentication, and to exploit it
requires an attacker to be able to exfiltrate tokens from a client application or
otherwise obtain a leaked token. It does not impact:

  • OAuth or OIDC protocol endpoints defined by IdentityServer, such as the authorize and
    token endpoints.
  • UI pages within an IdentityServer implementation, which are not authorized with the
    local API authentication handler.
  • The use of DPoP to create sender-constrained tokens in IdentityServer that are consumed
    by external API resources.
  • The use of DPoP to sender-constrain refresh tokens issued to public clients.

We assess this issue as low severity, with a CVSS v3.1 score of 3.1/10.

Are you affected?

The local APIs feature is used to create API endpoints within and protected by an
IdentityServer host. You can check if you are using this feature by searching for calls
to AddLocalAPI and AddLocalAPIAuthentication in your IdentityServer implementation.

Even if you are using the Local APIs feature, you still may not be affected because DPoP
support at local APIs must be explicitly enabled via configuration. By default, local APIs
have DPoP turned off. Vulnerable implementations of IdentityServer would have
configuration code similar to the following:

Csharp

services.AddAuthentication()
    .AddLocalAPI("local", options => 
    {
        options.TokenMode = LocalAPITokenMode.DPoPAndBearer; // or LocalAPITokenMode.DPoPOnly
    });

If you are using the default TokenMode of LocalAPITokenMode.Bearer, then you are not
affected by this vulnerability.

What we are doing today

  • Publishing IdentityServer 7.0.8, which addresses this vulnerability.
  • Publishing a security advisory.

We chose not to make 7.0.8 available in advance of today's disclosure due to the low
severity of the issue. It is our
policy
to make medium severity security updates available privately to our customers prior to
public release.

Duende Extensions to ASP.NET Core

Implementing DPoP support is not trivial and has subtle nuances based on the context in
which it is used. It's easy to get the details wrong, especially if you're copying and
pasting sample code. We want our users to be able to leverage advanced OAuth security
features of IdentityServer like DPoP, and that often requires support in the applications
and APIs. That's why we've made past open source contributions to ASP.NET Core's
authentication handlers and why we've been working on a set of new tools to extend ASP.NET
Core for client and API developers.

Our first release in this area is a new package that extends the AspNetCore JwtBearer
authentication handler: Duende.AspNetCore.Authentication.JwtBearer. Our first
release adds DPoP support to the handler. Previously, implementing DPoP in APIs required
fairly extensive customization. Now, adding DPoP support is as simple as installing the
NuGet package and adding one line of code:

Csharp

builder.Services.ConfigureDPoPTokensForScheme("token");

A full sample is available
here.

Conclusion

Again, we encourage everyone to update to IdentitySerer 7.0.8. You can check your
implementation for usages of the local API authentication handler, and the
LocalAPITokenModes that enable DPoP to determine if you are impacted.

We also would love to get feedback on Duende.AspNetCore.Authentication.JwtBearer! Please
try it out and let us know how it works for you.

If you have further questions, please email the Duende Security team at
security@duendesoftware.com.