This is the first stable release of Duende.AspNetCore.Authentication.JwtBearer, a package that provides DPoP (Demonstrating Proof of Possession) support for ASP.NET Core APIs.
Features & Improvements
- Validates DPoP proof tokens and verifies their binding to DPoP access tokens.
- Extends Microsoft.AspNetCore.Authentication.JwtBearer for compatibility with its configurations and extensions.
- Validation of client-supplied
iat(issued at) timestamps to limit the possible time window of replay attacks. - Optional Cache-based replay detection to further defend against replay attacks.
- Support for issuing and validating nonce values to defend against pre-generation attacks.
- Configurable DPoP enforcement modes (required or optional with bearer fallback).
- Configurable allowed signing algorithms for DPoP proof tokens.
- HybridCache for replay detection - Replaced IDistributedCache with HybridCache for improved replay attack detection (#2299)
API Improvements and changes from preview releases
- Renamed DPoP expiration mode for clarity - DPoPProofExpirationMode naming improved based on community feedback (#2337)
- Simplified DPoP optional mode - Easier configuration when DPoP should be optional (#2300)