Add dpop authentication to oauth2 golang

[efd6]

Enhancement

What does this PR do?

This PR introduces a new Go package libbeat/common/dpopoauth2 to integrate DPoP (Demonstrating Proof-of-Possession) authentication into standard OAuth2.0 flows using golang.org/x/oauth2.

Key components include:

• ProofGenerator: Handles the creation of DPoP proofs (JWTs containing jwk, htm, htu, iat, jti, and optionally nonce and ath claims).
• TokenTransport: An http.RoundTripper for the OAuth2 token endpoint, which adds the DPoP header and implements a retry mechanism for DPoP-Nonce challenges.
• Transport: An http.RoundTripper for protected resource access, which wraps an oauth2.TokenSource, sets the Authorization: DPoP <access_token> header, includes the DPoP proof (with ath), and handles DPoP-Nonce retries.
• Helper functions: NewTokenClient, NewResourceClient for easy client construction, and GenerateECDSAP256Key, GenerateRSAPrivateKey for key generation.

Why is it important?

This package enables the use of DPoP with OAuth2.0, providing enhanced security by binding access tokens to a cryptographic key held by the client. This prevents token replay attacks and ensures that only the legitimate client can use the token. This is specifically intended to add DPoP authentication capabilities to the x-pack/filebeat/input/cel package.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

To test this PR, you can integrate the new dpopoauth2 package into an application that uses golang.org/x/oauth2.

1. Generate a private key:

   privateKey, err := dpopoauth2.GenerateECDSAP256Key() // or GenerateRSAPrivateKey(2048)
   if err != nil { /* handle error */ }

2. For token acquisition (e.g., code exchange, client credentials grant):

   tokenHTTPClient, err := dpopoauth2.NewTokenClient(ctx, privateKey, nil)
   if err != nil { /* handle error */ }
   ctx = context.WithValue(ctx, oauth2.HTTPClient, tokenHTTPClient)
   
   // Then, use oauth2.Config or clientcredentials.Config as usual
   // e.g., config.Exchange(ctx, "your_code") or clientcredentials.TokenSource(ctx, config).Token()

3. For protected resource access:

   // Assuming you have an oauth2.TokenSource (e.g., from config.TokenSource(ctx, token))
   tokenSource := config.TokenSource(ctx, &oauth2.Token{AccessToken: "your_access_token", TokenType: "DPoP"})
   
   resourceClient, err := dpopoauth2.NewResourceClient(ctx, privateKey, tokenSource, nil)
   if err != nil { /* handle error */ }
   
   // Use resourceClient to make requests to protected APIs
   // resp, err := resourceClient.Get("https://api.example.com/protected")

The included unit tests (proof_test.go) also demonstrate the expected behavior of proof generation, resource header setting, and nonce-based retries.

Related issues

Use cases

• Secure OAuth2.0 client for token acquisition: A client can use dpopoauth2.NewTokenClient to ensure that its requests to the OAuth2 token endpoint are DPoP-protected, preventing malicious actors from replaying token requests.
• Sender-constrained access to protected resources: After obtaining a DPoP-bound access token, the client can use dpopoauth2.NewResourceClient to make requests to protected APIs. The DPoP proof included in these requests cryptographically links the access token to the client's private key, ensuring only the token-possessing client can use it.
• Integration with x-pack/filebeat/input/cel: This package provides the necessary building blocks for the cel input to securely authenticate with DPoP-enabled OAuth2.0 providers.

Screenshots

Logs

---

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}