DPoP support for native / mobile Applications

The sweet spot for proof of possession access tokens is clients that are operated in untrusted networks and can securely store key material and tokens - very typically that tranlates to native mobile applications.

We maintain an open source client library that implements RFC8252 (aka “AppAuth”) style authentication and token management. This library targets netstandard2.0 and thus is usable on all .NET platforms (e.g. Windows / Mac desktop, iOS, Android etc.).

When we announced DPoP support for IdentityServer, we also mentioned that we will update this library as well. This took some time, but we now have a preview for you to try out.

The typical flow for native applications would be:

first run

• create and store a proof token
• start the authentication / token request via the platform’s authentication browser
• store the refresh token
• automatically manage access token and call APIs using DPoP

subsequent run

• retrieve previously stored proof key and refresh token
• automatically manage access token and call APIs using DPoP

The setup for this in code is pretty simple and all helpers are provided by our library.

// create or retrieve stored proof key
var proofKey = GetProofKey();

var options = new OidcClientOptions
{
    Authority = Authority,
    ClientId = "native.dpop",
    RedirectUri = redirectUri,
    Scope = "openid profile api offline_access",
    Browser = browser,
};

// configure back-channel handlers for DPoP
options.ConfigureDPoP(proofKey); 
var oidcClient = new OidcClient(options);

// start authentication workflow
var result = await oidcClient.LoginAsync();

// call APIs using a managed access token and DPoP
var apiClient = new HttpClient(result.RefreshTokenHandler)
{
    BaseAddress = new Uri(Api)
};

You can find a working sample against our demo server here.

Please give it a try and give us feedback. We will release the final version in a couple of weeks.