fix: DPoP should only include the path

[mkleene]

Our implementation of DPoP uses only the path component of the HTTPS request.
This was due to implementing DPoP for GRPC, which has a murkier relationship with HTTP than
connect does.

This will bring the Java SDK into line with the rest of the SDKs and the server but it might
be better to change the server so that we accept DPoP tokens that only specify paths so that
we are more in line with the spec.

[gemini-code-assist]

Summary of Changes

Hello @mkleene, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a compliance issue in the DPoP (Demonstrating Proof-of-Possession) token generation by ensuring that the 'htu' (HTTP URI) claim within the DPoP proof contains only the path component of the requested URI, rather than the full URL. This change enhances the security and correctness of DPoP-bound access tokens. Additionally, it refactors the DPoP proof factory instantiation for better performance and includes a new test to validate the fix.

Highlights

• DPoP URI Path Correction: The DPoP proof generation now correctly includes only the path component of the URI in the 'htu' claim, aligning with DPoP specifications and enhancing security.
• DPoP Proof Factory Optimization: The 'DefaultDPoPProofFactory' is now instantiated once in the 'TokenSource' constructor and reused across requests, improving efficiency by avoiding repeated object creation.
• New Test Case: A dedicated unit test has been added to 'TokenSourceTest' to specifically verify that the DPoP proof's 'htu' claim contains only the URI path, ensuring the fix works as intended.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors DPoP proof generation to improve efficiency by creating the DPoPProofFactory only once. It also changes the DPoP proof to only include the URL path, which is validated by a new test. While the refactoring is a good improvement, I've found a critical bug in the new implementation where URLs with special characters in the path would cause an exception. I've also noted a minor formatting issue in the new test file. Addressing the critical issue is important for the robustness of this fix.

[sonarqubecloud]

Quality Gate failed

Failed conditions
7 Security Hotspots
60.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube Cloud

[mkleene]

/gemini review

[gemini-code-assist]

Code Review

This pull request refactors the DPoP proof generation to be more efficient by creating the DPoPProofFactory only once. It also modifies the htu claim in the DPoP proof to only include the request URI's path, and adds a unit test to confirm this behavior. While the refactoring is a good improvement, the change to the htu claim may not be fully compliant with RFC 9449, which could lead to interoperability issues. I've added a specific comment regarding this potential standards compliance issue.

[gemini-code-assist]

Using just the path for the htu (HTTP URI) claim in the DPoP proof might not be compliant with RFC 9449. Section 4.2 of the RFC specifies that the htu claim MUST be an absolute URI for requests over TLS.

The htu value MUST be an absolute URI, as defined in Section 4.3 of [RFC3986], unless the HTTP request is to a resource at an origin that is not deployed with a TLS server certificate, in which case the htu value MUST be a relative URI...

This implementation unconditionally uses a relative URI (the path), which is only valid for non-TLS requests according to the standard. While this may be necessary for a specific server implementation, it could cause DPoP validation to fail with other servers that strictly adhere to the RFC when using TLS.

If this change is intentional to support a specific backend, it would be good to document this behavior. Otherwise, you might consider making this logic conditional on the URL's protocol (e.g., http vs. https).

[ttschampel]

Ditto this, add a comment that this describes why we diverge from the RFC here

[ttschampel]

Add comment stating that we are diverging from the Spec