Request CRDP Resources using DPoP-Bound JWT
For enhanced security, CRDP also supports DPoP-bound JWTs, which bind the access token to a client’s private key. This prevents token misuse by unauthorized parties.
Support for DPoP-bound JWTs will be available in CipherTrust Manager 2.22 and higher versions.
Prerequisites
An identity server with DPoP support.
The Enable DPoP toggle must be turned on.
A public and private key pair must be generated.
A DPoP-bound JWT from the identity server must be generated.
Generate DPoP Proof for CRDP
Generate the DPoP proof using the key pair. Ensure that the DPoP proof payload has the following claims:
| Claims | Description |
|---|---|
htm | (Required) The value of the HTTP method of the request to which the JWT is attached. |
htu | (Required) The target HTTP URL of the request to which the JWT is attached. |
ath | (Required) The hash of the access token. The value must be a Base64url encoded SHA-256 hash of the associated access token's value. |
Sample DPoP Header:
{
"alg" : "RS256",
"typ": "dpop+jwt",
}
Sample DPoP payload:
{
"htm": "POST",
"htu": "http://{crdp_url}/v1/protect",
"ath": "c794fa6d20c64efb9adf980ae93af472a1679775862d421ffe55d4a57fad5b3e"
}
Request CRDP server using DPoP-bound JWT
To make an API requests to CRDP using the DPoP-bound JWTs, perform the following steps:
Add the DPoP-bound JWT in the authorization header of the CRDP API request.
Add the DPoP proof in the DPoP header of the API request.
Sample curl request:
curl --location 'http://<crdp host IP>:<crdp host port>/v1/protect'\
--header 'DPoP: eyJhbGciOiJFUzI1NiIsImp3ayI6eyJjcnYiOiJQLTI1NiIsImt0eSI6IkVDIiwieCI6IjE2eTZSTUpWN3hoZWpqT1pwQVZUZDZtNElFckxOXzBYTjd0RkhvTjdSUlUiLCJ5IjoiU1UyTTZucEY4OXhlaG10N0JQR1NCOWJIRDRva2pxd2VWcndTRjItQ1M5YyJ9LCJ0eXAiOiJkcG9wK2p3dCJ9.eyJodHUiOiIxMC4wLjIuMTU6ODA5MC92MS9wcm90ZWN0IiwiaHRtIjoiUE9TVCIsImp0aSI6IjM2ZWE2OWEzLTRlMTMtNDdmMC1hNTdiLWE3MGMzOTUxZjAwYSIsImlhdCI6MTc0NDk3NDcwMSwiYXRoIjoiY05fRVQ1bmFUZVVoUmFNNlFoakVtUzRqTlF1S1VfbnlWcW9sQjVGeG9sdyJ9.xdjNpWxi5MeFSoSXR4KBAlBI-91lcG-FWch3WvwjesNGS8QS9gufkwNmuCeZJqUS5iINh1ZiE-IFn19yPF6Ytw'\
--header 'Content-Type: application/json'\
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3RU5FNzVvblNGQXJhS2VhV3lGSEZuQzVSVk9jbm5IeGF4dkhCelhNdGhvIn0.eyJleHAiOjE3NDQ5NzUwMDEsImlhdCI6MTc0NDk3NDcwMSwianRpIjoiMzYzOGE5MWEtMjZlZS00MmIzLWEyNzAtZjBjNWJhZjJmMGViIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDg4L3JlYWxtcy9kcG9wLWRlbW8tZmM5NTM1N2EtZGFhMC00NDQxLTkxNDQtZmM0MWZlMDUzZjhkIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImViOWRlOGRjLTI0MTAtNGFlZC1hOWY3LWU3NTUzNjAzMjRjYSIsInR5cCI6IkRQb1AiLCJhenAiOiJkcG9wLWNsaWVudCIsInNpZCI6ImZjMzFlYzliLWY4YWYtNGUwMy1iYWM4LWU1ZjRkYjQ0NWQwNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdCJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtZHBvcC1kZW1vLWZjOTUzNTdhLWRhYTAtNDQ0MS05MTQ0LWZjNDFmZTA1M2Y4ZCJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sImNuZiI6eyJqa3QiOiJ3dmFQU281VWVEN1ZMVmFPSE1vQWpWakgzMWdGazEzM1AxajJnXzVfNjZZIn0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0dXNlciJ9.hNlmDbPRs-JkBOHnxxidSGverYdrhR7b_Vq1jm4Qp2hnu14Pyz7j9FcAcZNvAjmQG9iSBEP4sgL9AcWktKwFL_3ZruVLEnsI5WS9xl4ngNX3KbwDiGUMLxiGF9uebq1VCyHdZpYNW-nRKuw1amH32j_sqGXt1ow1zKdcxy0ot0nrEmnNB3hL5LPsMnCo59hjRY2KAosDvPQ__qtu0dlWEJeph7pFzMG85MHzG47MjhjRx2r3drn1FvPE1vxwCcCPRfOToNT03CEI6fxCj4zCHn71_w83CmxhrpNwro4vLktj6OpYBbkhzrosOfjgUSkiDJy6utO0K_jQ7M5oEKBbCQ' \
--data '{
"protection_policy_name": "pp_rn_internal",
"data": "12345678"
}
