DPoP add-on has not been implemented properly

[csc-jm]

We utilize the RPHandler from this library for a project and recently needed to add DPoP mechanism to the authorization flow. I attempted to configure it as shown here: https://github.com/IdentityPython/idpy-oidc/blob/main/demo/oauth2_add_on_dpop.py

However, the OIDC client with DPoP enabled wasn't receiving the DPoP nonce nor header as described in RFC 9449 from the RPHandler.finalize() call. After some investigation, I came to the conclusion that the DPoP add-on from this library might be lacking functionality a bit.

[rohe]

This will probably only confuse things but I thought you should know anyway.

I have a branch 'issuer_metadata' where RPHandler has been removed. The multiple issuer problem is instead handled by a client having one of more contexts structs.

Your issue made me realize that I hadn't verified that all the demo scripts work.
I will do that during the coming days.

I did oauth2_add_on_dpop.py today and now it seems to work.

[rohe]

Eventually my branch will be folded into the master branch but it will take a while.

[csc-jm]

Ok, interesting. So the RPHandler class and its functionality from idpyoidc.client.rp_handler will be replaced by this new RP class?
https://github.com/IdentityPython/idpy-oidc/blob/issuer_metadata/src/idpyoidc/client/oidc/rp.py

[rohe]

Conceptually what has happened is that instead of having an entity that spawns clients the client itself manages the connection to the servers it talks to.
In the code this is expressed by the context attribute being a dictionary instead of a singleton.
The keys in the dictionary are the servers entity_id/issuer_id.
The base class for a client entity is the Entity class in
entity-py
Which means you probably should use the RP class, since you are used to RPHandler.