Skip to main content

Crate turbomcp_dpop

Crate turbomcp_dpop 

Source
Expand description

§TurboMCP DPoP - RFC 9449 Implementation

DPoP (Demonstrating Proof-of-Possession) implementation for OAuth 2.0 as specified in RFC 9449. DPoP binds access tokens to cryptographic key pairs, preventing token theft and replay attacks.

§Core Features

  • RFC 9449 Compliance - Full specification implementation
  • Cryptographic Security - ES256 (ECDSA P-256) only for maximum security
  • Token Binding - Prevents stolen token usage
  • Replay Protection - Nonce tracking and timestamp validation
  • Production Features - HSM integration, audit logging, key rotation

§Security Notice

TurboMCP v3.0+ removes RSA algorithm support (RS256, PS256) to eliminate timing attack vulnerabilities (RUSTSEC-2023-0071). Only ES256 (ECDSA P-256) is supported. ES256 provides superior security, faster performance, and smaller key sizes.

§Architecture

  • errors - DPoP-specific error types
  • types - Core DPoP types (algorithms, key pairs, proofs)
  • keys - Key management and rotation
  • proof - Proof generation and validation
  • redis_storage - Redis backend (feature-gated: redis-storage)
  • hsm - Hardware Security Module support (feature-gated)
    • hsm::pkcs11 - PKCS#11 HSM integration (feature: hsm-pkcs11)
    • hsm::yubihsm - YubiHSM integration (feature: hsm-yubico)

§Feature Flags

  • default - Core DPoP functionality (no optional features)
  • redis-storage - Redis storage backend for nonce tracking
  • hsm-pkcs11 - PKCS#11 HSM support
  • hsm-yubico - YubiHSM support
  • hsm - Enable all HSM backends
  • test-utils - Test utilities for DPoP testing

Re-exports§

pub use helpers::DpopProofParams;
pub use helpers::DpopProofParamsBuilder;
pub use helpers::DpopValidator;
pub use helpers::ValidatedDpopClaims;
pub use errors::*;
pub use keys::*;
pub use proof::*;
pub use types::*;

Modules§

errors
DPoP error types and conversions
helpers
Helper functions for jsonwebtoken integration
hsm
Hardware Security Module (HSM) integration for DPoP key management
keys
DPoP key management and cryptographic operations
proof
DPoP proof generation and validation
redis_storage
Redis-based storage for DPoP nonce tracking
test_utils
Test utilities for DPoP implementation
types
Core DPoP types and data structures

Constants§

DEFAULT_CLOCK_SKEW_SECONDS
Default clock skew tolerance for DPoP proof validation (60 seconds).
DEFAULT_PROOF_LIFETIME_SECONDS
Default proof lifetime (60 seconds)
DPOP_JWT_TYPE
DPoP JWT header type as defined in RFC 9449
MAX_CLOCK_SKEW_SECONDS
Hard cap on clock skew accepted for DPoP proofs.
MAX_PROOF_LIFETIME_SECONDS
Maximum proof lifetime (5 minutes)

Type Aliases§

Result
DPoP result type