forked from
gazagnaire.org/ocaml-dpop
DPoP (RFC 9449) proof-of-possession tokens
ocaml-dpop: harden RFC 9449 doc example with concrete asserts
The example previously ended in [ignore proof] (typechecks, teaches
nothing). Replaced with: alg round-trip, non-empty proof string
checks, and a thumbprint-deterministic check. Also wires
Crypto_rng_unix.use_default () so the example runs in the mdx
sandbox.
+14
-8
+14
-8
lib/dpop.mli
+14
-8
lib/dpop.mli
···
21
21
22
22
{b Example}
23
23
{[
24
+
let () = Crypto_rng_unix.use_default ()
25
+
24
26
(* 1. Generate a per-session key. *)
25
-
let key = Dpop.generate ES256 in
27
+
let key = Dpop.generate Dpop.ES256
26
28
27
29
(* 2. Attach a proof to every token/resource request. *)
28
-
let proof =
30
+
let token_proof =
29
31
Dpop.proof key ~htm:"POST" ~htu:"https://as.example.com/token" ()
30
-
in
31
-
let headers = [ ("DPoP", proof) ] in
32
32
33
33
(* 3. On resource requests, bind the proof to the access token. *)
34
-
let ath = Dpop.access_token_hash "gho_abc..." in
35
-
let proof =
34
+
let ath = Dpop.access_token_hash "gho_abc..."
35
+
36
+
let resource_proof =
36
37
Dpop.proof key ~htm:"GET" ~htu:"https://api.example.com/me" ~ath ()
37
-
in
38
-
ignore proof
38
+
39
+
(* The thumbprint is deterministic for a given key. *)
40
+
let () =
41
+
assert (Dpop.alg key = Dpop.ES256);
42
+
assert (String.length token_proof > 0);
43
+
assert (String.length resource_proof > 0);
44
+
assert (Dpop.thumbprint key = Dpop.thumbprint key)
39
45
]} *)
40
46
41
47
(** {1 Keys and algorithms} *)