DPoP Handshake with Inrupt Identity Server Fails When Connecting to Solid Pods

[grootstebozewolf]

Title: DPoP Handshake with Inrupt Identity Server Fails When Connecting to Solid Pods

Environment:

• Duende AccesTokenManagement 3.2.0
• Solid Pods hosted by Inrupt

Description:
I'm using the Duende IdentityManagement Client to obtain an access token from Inrupt’s Identity Server with DPoP enabled. The access token is successfully retrieved; however, when I add the DPoP signature for the handshake with Inrupt’s Solid Pods, the token gets rejected.

For context, DPoP (Demonstration of Proof-of-Possession) is a security mechanism that binds an access token to the client by including a JSON Web Key (JWK) and several claims (e.g., HTTP method, URL, issued-at timestamp, unique identifier) in a JWT. If any of these elements (or the signing process) are misconfigured, the proof token may not be accepted.

Reproduction Steps:

1. Request an access token from Inrupt’s Identity Server using the Duende IdentityManagement Client with DPoP enabled.
2. Attach the DPoP signature to the token and use it in a request to a Solid Pod.
3. The Solid Pod rejects the token.

Expected Behavior:
The Solid Pod should accept the token, indicating a successful DPoP handshake with a correctly generated DPoP proof.

Logs:
No detailed error logs are available—the failure is observed as the token being rejected. When using the same client code configured to local IDP and API as in this example, it works correctly.

Additional Context:

• The DPoP JWT must include the correct header (with the appropriate signing algorithm and the public part of the JWK) and payload (including claims like htm, htu, iat, and jti).
• Common issues include mismatches between the JWK used for signing and the server’s expectations, incorrect claim values (e.g., an out-of-sync iat), or problems with the signing algorithm.

Questions:

1. What are the essential elements in the DPoP JWT (both header and payload) required for a successful handshake with Inrupt’s Solid Pods?
2. Are there any known configuration adjustments within the Duende IdentityManagement Client that might affect generating a compliant DPoP proof when using Inrupt’s Identity Server?
3. Which tools or methods are recommended for validating the structure and claim values of my DPoP JWK and JWT token?

[RolandGuijt]

We don't have experience with Inrupt Solid Pods. But we can see if we can help if more details are provided.
Can you please provide

• The code you use to request the token and attach the token
• The tokens themselves which are received from the idp and sent to the API.
• The exact error message: You mention there are no detailed logs available, can you somehow obtain them?