Alnyli07 opened a new pull request, #13165:
URL: https://github.com/apache/apisix/pull/13165

   ## Description
   
   Add `dpop` plugin for [RFC 9449 DPoP (Demonstrating Proof of 
Possession)](https://datatracker.ietf.org/doc/html/rfc9449) validation. This 
plugin enforces sender-constrained access tokens at the API gateway level, 
preventing token theft and replay attacks with zero changes to upstream 
services.
   
   Fixes https://github.com/apache/apisix/issues/11219
   
   ### Why a Separate Plugin?
   
   DPoP is a **proof-of-possession layer**, not an authentication mechanism. It 
complements existing auth plugins (`openid-connect`, `jwt-auth`, `multi-auth`) 
rather than replacing them. It runs at priority **2601** to rewrite 
`Authorization: DPoP` → `Authorization: Bearer` before downstream auth plugins 
process the token.
   
   ### Features
   
   - Full RFC 9449 DPoP proof validation (`typ`, `alg`, `htm`, `htu`, `iat`, 
`ath`, `jti`)
   - DPoP proof signature verification (ES256/384/512, RS256/384/512, 
PS256/384/512)
   - JWK Thumbprint binding (`cnf.jkt`) per RFC 7638
   - Access token signature verification via JWKS (OIDC discovery or direct URI)
   - Token introspection fallback (RFC 7662) for opaque tokens
   - Distributed JTI replay protection (memory / Redis / Infinispan, 
configurable fallback strategy)
   - Bearer downgrade detection
   - `DPoP` → `Bearer` header rewrite + `DPoP-Thumbprint` header injection
   - Selective enforcement via `uri_allow`
   - Structured audit logging with OpenTelemetry trace_id correlation
   
   A Go WASM version (proxy-wasm-go-sdk v0.24.0) is also available at 
[Keymate-io/keymate-apisix-dpop-plugin](https://github.com/Keymate-io/keymate-apisix-dpop-plugin).
   
   ### Files Changed
   
   | File | Description |
   |------|-------------|
   | `apisix/plugins/dpop.lua` | Plugin implementation (1384 LOC) |
   | `conf/config.yaml.example` | Plugin registration (priority 2601) |
   | `docs/en/latest/plugins/dpop.md` | English documentation |
   | `t/plugin/dpop.t` | 15 Test::Nginx test cases |
   
   ### Tested With
   
   - Apache APISIX 3.11.0
   - Keycloak 26.0 (any RFC 9449-compliant IdP)
   - 58 E2E checks (k6), 49 Postman requests in our upstream repo
   - Dependencies: only libraries already in APISIX (`resty.openssl`, 
`resty.http`, `resty.redis`, `resty.lrucache`)
   
   ## Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to