Skip to content

Add dpop signing#82

Draft
sashyo wants to merge 31 commits into
mainfrom
add-dpop-signing
Draft

Add dpop signing#82
sashyo wants to merge 31 commits into
mainfrom
add-dpop-signing

Conversation

@sashyo
Copy link
Copy Markdown
Collaborator

@sashyo sashyo commented Apr 15, 2026

No description provided.

sashyo added 30 commits April 10, 2026 17:32
@sashyo
Add delegation signing and server-side SDK packages
f570354 
- @tidecloak/js: add signDelegationRequest() to DPoPSignatureProvider
  and IAMService, signs arbitrary claims with existing DPoP key
- @tidecloak/server: new package with TideDelegation class for
  server-side delegation exchange (packRequest + exchange)
- @tidecloak/dpop-server: new package for server-side DPoP proof
  generation via TideCloak endpoint
- @tidecloak/nextjs: add optional dpop flag to token exchange config
@sashyo
Add server DPoP keypair to @tidecloak/server delegation
6493578 
TideDelegation now generates its own Ed25519 keypair, includes
cnf.jkt in packed requests, generates server DPoP proofs for
token exchange and resource requests. exchange() no longer
requires browser DPoP proof — server signs its own.
@sashyo
Add DPoP approval signing and ephemeral server keys
5ab76be 
@tidecloak/js:
- tidecloak.js: add getDpopProvider() and signDpopApproval() which
  sends postMessage to ORK enclave for session key signing
- IAMService.js: add signDpopApproval() delegating to TideCloak,
  update signDelegationRequest() to use getDpopProvider() for
  standard Keycloak adapter mode

@tidecloak/server:
- delegation.ts: rotate server DPoP key per delegation cycle
  (rotateServerKey replaces ensureServerKey), add ath claim
  to DPoP proofs per RFC 9449, fix CJS module resolution,
  add type:module to package.json, add .js extension to imports
@sashyo
Add forgetful interrupt delegation pattern
5f88fe3 
@tidecloak/js: new createTideFetch() wrapper that handles 419
delegation challenges transparently — signs delegation request
and DPoP approval, POSTs to delegation endpoint, retries
original request from scratch.

@tidecloak/server: new handleDelegation() and requireDelegation()
Express middleware. requireDelegation sends 419 with pack payload
if no cached token, handleDelegation receives browser signatures
and caches the delegation token per-user-session.
@sashyo
Fix createTideFetch auth and export
e522e2d 
- Add Authorization header to delegation POST request
- Convert relative delegation endpoint to absolute URL
- Re-export createTideFetch from package index.js
@sashyo
Add body and formData support to req.delegation.fetch
85773fb 
The delegation fetch helper now supports POST/PUT/DELETE with
JSON bodies and FormData for admin API write operations.
Handles 204 No Content and empty response bodies.
@sashyo
Fix concurrent 419 race condition in delegation key rotation
39c85ee 
packRequest() and requireDelegation() now only generate a new
server key if none exists. Concurrent 419 responses from multiple
routes reuse the same key so the browser's signatures match.
Clear server key when cached delegation token expires so the
next cycle gets a fresh key.
@sashyo
Remove @tidecloak/dpop-server package
2763c9e 
Deleted the unused dpop-server package and removed its dependency
from tidecloak-nextjs. The delegation flow uses @tidecloak/server
with the forgetful interrupt pattern instead.
@sashyo
Add scoped delegation roles to requireDelegation middleware
6f1d4b0
@sashyo
Add delegation documentation for @tidecloak/server and @tidecloak/js
0cb8381
@sashyo
Update server SDK docs and fix formatting
004a5b4
@sashyo
Switch to per-session server keys for concurrent delegation safety
5fa41c9
@sashyo
Update server SDK docs for per-session keys
b038e70
@sashyo
Add KeyStore abstraction for server key persistence (memory/db/tpm)
7a24d2a
@sashyo
Add mTLS support to TideDelegation via serverIdentity from adapter JSON
5c4e974
@sashyo
Add @tidecloak/tpm native binding scaffold for TPM 2.0 Ed25519 keys
9aaf12f
@sashyo
Wire TPM native binding into KeyStore with hardware-backed signing
1680624
@sashyo
Remove DPoP from delegation flow, use mTLS with cnf.x5t#S256 binding
5240e52
@sashyo
Add requestServerCert() to TideDelegation SDK for auto cert request o…
ef84d7f 
…n startup
@sashyo
Fix key reload: use createPublicKey from private key, not export as spki
1563fa7
@sashyo
Add vault-backed init() for mTLS key persistence via Tide Vault
2f0e86a
@sashyo
Fix TideDelegation.init() to reuse existing server.key on restart
c5583aa
@sashyo
Add serverClientId config for mTLS token exchange
bc50dfa
@sashyo
Use serverClientId for cert requests instead of public clientId
f490320
@sashyo
Merge branch 'add-dpop-signing' into add-scert-model
fdf8730
@sashyo
Merge pull request #81 from tide-foundation/add-scert-model
744cd87 
Add scert model
@sashyo
Remove unused tidecloak-dpop-server and tidecloak-tpm packages, clean…
5635935 
… up references
@sashyo
Guard cert request: require serverClientId before requesting
618b73b
@sashyo
Send client cert as header for HTTP connections in mtlsFetch
2124f86
@sashyo
Add IAMService.fetch() universal auth fetch and update server SDK docs
70db592 
- IAMService.fetch() handles Bearer, DPoP, and delegation automatically
- IAMService.setDelegationThumbprint() for one-time init
- Replaces separate secureFetch/adminFetch with single entry point
- Updated tidecloak-server README for X-Delegation-Request header flow
@sashyo
Remove vault-backed key storage, use plain file in data directory
d87b9c4 
init() now generates Ed25519 keypair and saves to data/server.key directly.
No vault encrypt/decrypt, no doken parameter, no server-key.vault blob.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sashyo