DPoP Package Updates

Today we are publishing two NuGet packages related to DPoP:

  • Duende.IdentityServer 7.0.8, which addresses a low-severity security issue in our DPoP support for local APIs (CVE-2024-49755), and
  • Duende.AspNetCore.Authentication.JwtBearer 0.1.3, the first preview of a new series of ASP.NET Core extensions that help you leverage advanced IdentityServer features - in this case DPoP support for APIs.

We encourage everyone using IdentityServer 7.0.0 and later to update to IdentityServer 7.0.8, but do note that most IdentityServer implementations are not affected. In this blog post, we’ll discuss the issue in more detail and the specific circumstances where this vulnerability applies, as well as show how to use the new package to implement DPoP in your ASP.NET APIs.

Nature of Vulnerability and Impact

We were recently made aware of a missing validation step in our DPoP support that would allow an attacker to use leaked DPoP access tokens at local API endpoints defined within an IdentityServer implementation, even without possessing the private key for signing proof tokens. Thank you to Jonathan Antoine for raising this issue. As always, we encourage members of the community to raise security sensitive issues with us privately by sending email to security@duendesoftware.com.

This issue only impacts custom endpoints within an IdentityServer implementation that have explicitly used the LocalAPIAuthenticationHandler for authentication, and to exploit it requires an attacker to be able to exfiltrate tokens from a client application or otherwise obtain a leaked token. It does not impact:

  • OAuth or OIDC protocol endpoints defined by IdentityServer, such as the authorize and token endpoints.
  • UI pages within an IdentityServer implementation, which are not authorized with the local API authentication handler.
  • The use of DPoP to create sender-constrained tokens in IdentityServer that are consumed by external API resources.
  • The use of DPoP to sender-constrain refresh tokens issued to public clients.

We assess this issue as low severity, with a CVSS v3.1 score of 3.1/10.

Are you affected?

The local APIs feature is used to create API endpoints within and protected by an IdentityServer host. You can check if you are using this feature by searching for calls to AddLocalAPI and AddLocalAPIAuthentication in your IdentityServer implementation.

Even if you are using the Local APIs feature, you still may not be affected because DPoP support at local APIs must be explicitly enabled via configuration. By default, local APIs have DPoP turned off. Vulnerable implementations of IdentityServer would have configuration code similar to the following:

services.AddAuthentication()
    .AddLocalAPI("local", options => 
    {
        options.TokenMode = LocalAPITokenMode.DPoPAndBearer; // or LocalAPITokenMode.DPoPOnly
    });

If you are using the default TokenMode of LocalAPITokenMode.Bearer, then you are not affected by this vulnerability.

What we are doing today

  • Publishing IdentityServer 7.0.8, which addresses this vulnerability.
  • Publishing a security advisory.

We chose not to make 7.0.8 available in advance of today’s disclosure due to the low severity of the issue. It is our policy to make medium severity security updates available privately to our customers prior to public release.

Duende Extensions to ASP.NET Core

Implementing DPoP support is not trivial and has subtle nuances based on the context in which it is used. It’s easy to get the details wrong, especially if you’re copying and pasting sample code. We want our users to be able to leverage advanced OAuth security features of IdentityServer like DPoP, and that often requires support in the applications and APIs. That’s why we’ve made past open source contributions to ASP.NET Core’s authentication handlers and why we’ve been working on a set of new tools to extend ASP.NET Core for client and API developers.

Our first release in this area is a new package that extends the AspNetCore JwtBearer authentication handler: Duende.AspNetCore.Authentication.JwtBearer. Our first release adds DPoP support to the handler. Previously, implementing DPoP in APIs required fairly extensive customization. Now, adding DPoP support is as simple as installing the NuGet package and adding one line of code:

builder.Services.ConfigureDPoPTokensForScheme("token");

A full sample is available here.

Conclusion

Again, we encourage everyone to update to IdentitySerer 7.0.8. You can check your implementation for usages of the local API authentication handler, and the LocalAPITokenModes that enable DPoP to determine if you are impacted.

We also would love to get feedback on Duende.AspNetCore.Authentication.JwtBearer! Please try it out and let us know how it works for you.

If you have further questions, please email the Duende Security team at security@duendesoftware.com.