Deprecate query & fragment in DPoP proof htu claim (#3879)

* Properly validate JWK `htu` claim by enforcing URL without query or fragment

* type fix

* Return DPoP validation result from `authenticateRequest`

* Log clients using invalid "htu" claim in DPoP proof

* review comments

* fix lint

* tidy

* rename dpop result to dpop proof

.changeset/metal-oranges-sing.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": minor
+---
+
+Improve validation of DPoP proofs

.changeset/nasty-knives-kick.md

@@ -0,0 +1,5 @@
+---
+"@atproto/jwk": minor
+---
+
+Properly validate JWK `htu` claim by enforcing URL without query or fragment

.changeset/sweet-ways-allow.md

@@ -0,0 +1,5 @@
+---
+"@atproto/pds": patch
+---
+
+Log clients using invalid "htu" claim in DPoP proof

.changeset/weak-cycles-speak.md

@@ -0,0 +1,5 @@
+---
+"@atproto/oauth-provider": patch
+---
+
+Return DPoP validation result from `authenticateRequest`

package.json

@@ -54,7 +54,7 @@
     "prettier": "^3.2.5",
     "prettier-config-standard": "^7.0.0",
     "prettier-plugin-tailwindcss": "^0.6.11",
-    "typescript": "^5.8.2"
+    "typescript": "^5.8.3"
   },
   "workspaces": {
     "packages": [

packages/oauth/jwk/src/jwt.ts

@@ -61,6 +61,50 @@ export const jwtHeaderSchema = z
 
 export type JwtHeader = z.infer<typeof jwtHeaderSchema>
 
+/**
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2-4.6}
+ * @see {@link https://www.rfc-editor.org/rfc/rfc9110#section-7.1}
+ */
+export const htuSchema = z.string().superRefine((value, ctx) => {
+  try {
+    const url = new URL(value)
+    if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Only http: and https: protocols are allowed',
+      })
+    }
+
+    if (url.username || url.password) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Credentials not allowed',
+      })
+    }
+
+    if (url.search) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Query string not allowed',
+      })
+    }
+
+    if (url.hash) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'Fragment not allowed',
+      })
+    }
+  } catch (err) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.invalid_string,
+      validation: 'url',
+    })
+  }
+
+  return value
+})
+
 // https://www.iana.org/assignments/jwt/jwt.xhtml
 export const jwtPayloadSchema = z
   .object({
@@ -72,7 +116,7 @@ export const jwtPayloadSchema = z
     iat: z.number().int().optional(),
     jti: z.string().optional(),
     htm: z.string().optional(),
-    htu: z.string().optional(),
+    htu: htuSchema.optional(),
     ath: z.string().optional(),
     acr: z.string().optional(),
     azp: z.string().optional(),

packages/oauth/oauth-provider/src/dpop/dpop-manager.ts

@@ -1,15 +1,18 @@
 import { createHash } from 'node:crypto'
 import { EmbeddedJWK, calculateJwkThumbprint, errors, jwtVerify } from 'jose'
 import { z } from 'zod'
+import { ValidationError } from '@atproto/jwk'
 import { DPOP_NONCE_MAX_AGE } from '../constants.js'
 import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { UseDpopNonceError } from '../errors/use-dpop-nonce-error.js'
+import { ifURL } from '../lib/util/cast.js'
 import {
   DpopNonce,
   DpopSecret,
   dpopSecretSchema,
   rotationIntervalSchema,
 } from './dpop-nonce.js'
+import { DpopProof } from './dpop-proof.js'
 
 const { JOSEError } = errors
 
@@ -47,111 +50,163 @@ export class DpopManager {
    * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
    */
   async checkProof(
-    proof: unknown,
+    httpMethod: string,
-    htm: string, // HTTP Method
+    httpUrl: Readonly<URL>,
-    htu: string | URL, // HTTP URL
+    httpHeaders: Record<string, undefined | string | string[]>,
-    accessToken?: string, // Access Token
+    accessToken?: string,
-  ) {
+  ): Promise<null | DpopProof> {
-    if (Array.isArray(proof) && proof.length === 1) {
+    // Fool proofing against use of empty string
-      proof = proof[0]
+    if (!httpMethod) {
+      throw new TypeError('HTTP method is required')
     }
 
-    if (!proof || typeof proof !== 'string') {
+    const proof = extractProof(httpHeaders)
-      throw new InvalidDpopProofError('DPoP proof required')
+    if (!proof) return null
-    }
 
-    const { protectedHeader, payload } = await jwtVerify<{
+    const { protectedHeader, payload } = await jwtVerify(proof, EmbeddedJWK, {
-      iat: number
-      jti: string
-    }>(proof, EmbeddedJWK, {
       typ: 'dpop+jwt',
-      maxTokenAge: 10,
+      maxTokenAge: 10, // Will ensure presence & validity of "iat" claim
       clockTolerance: DPOP_NONCE_MAX_AGE / 1e3,
-      requiredClaims: ['iat', 'jti'],
     }).catch((err) => {
-      const message =
+      throw newInvalidDpopProofError('Failed to verify DPoP proof', err)
-        err instanceof JOSEError
-          ? `Invalid DPoP proof (${err.message})`
-          : 'Invalid DPoP proof'
-      throw new InvalidDpopProofError(message, err)
     })
 
-    if (!payload.jti || typeof payload.jti !== 'string') {
+    // @NOTE For legacy & backwards compatibility reason, we cannot use
-      throw new InvalidDpopProofError('Invalid or missing jti property')
+    // `jwtPayloadSchema` here as it will reject DPoP proofs containing a query
+    // or fragment component in the "htu" claim.
+
+    // const { ath, htm, htu, jti, nonce } = await jwtPayloadSchema
+    //   .parseAsync(payload)
+    //   .catch((err) => {
+    //     throw buildInvalidDpopProofError('Invalid DPoP proof', err)
+    //   })
+
+    // @TODO Uncomment previous lines (and remove redundant checks bellow) once
+    // we decide to drop legacy support.
+    const { ath, htm, htu, jti, nonce } = payload
+
+    if (nonce !== undefined && typeof nonce !== 'string') {
+      throw newInvalidDpopProofError('Invalid DPoP "nonce" type')
+    }
+
+    if (!jti || typeof jti !== 'string') {
+      throw newInvalidDpopProofError('DPoP "jti" missing')
     }
 
     // Note rfc9110#section-9.1 states that the method name is case-sensitive
-    if (!htm || htm !== payload['htm']) {
+    if (!htm || htm !== httpMethod) {
-      throw new InvalidDpopProofError('DPoP htm mismatch')
+      throw newInvalidDpopProofError('DPoP "htm" mismatch')
     }
 
-    if (
+    if (!htu || typeof htu !== 'string') {
-      payload['nonce'] !== undefined &&
+      throw newInvalidDpopProofError('Invalid DPoP "htu" type')
-      typeof payload['nonce'] !== 'string'
-    ) {
-      throw new InvalidDpopProofError('DPoP nonce must be a string')
     }
 
-    if (!payload['nonce'] && this.dpopNonce) {
+    // > To reduce the likelihood of false negatives, servers SHOULD employ
+    // > syntax-based normalization (Section 6.2.2 of [RFC3986]) and
+    // > scheme-based normalization (Section 6.2.3 of [RFC3986]) before
+    // > comparing the htu claim.
+    //
+    // RFC9449 section 4.3. Checking DPoP Proofs - https://datatracker.ietf.org/doc/html/rfc9449#section-4.3
+    if (!htu || parseHtu(htu) !== normalizeHtuUrl(httpUrl)) {
+      throw newInvalidDpopProofError('DPoP "htu" mismatch')
+    }
+
+    if (!nonce && this.dpopNonce) {
       throw new UseDpopNonceError()
     }
 
-    if (payload['nonce'] && !this.dpopNonce?.check(payload['nonce'])) {
+    if (nonce && !this.dpopNonce?.check(nonce)) {
-      throw new UseDpopNonceError('DPoP nonce mismatch')
+      throw new UseDpopNonceError('DPoP "nonce" mismatch')
-    }
-
-    const htuNorm = normalizeHtu(htu)
-    if (!htuNorm) {
-      throw new TypeError('Invalid "htu" argument')
-    }
-
-    if (htuNorm !== normalizeHtu(payload['htu'])) {
-      throw new InvalidDpopProofError('DPoP htu mismatch')
     }
 
     if (accessToken) {
-      const athBuffer = createHash('sha256').update(accessToken).digest()
+      const accessTokenHash = createHash('sha256').update(accessToken).digest()
-      if (payload['ath'] !== athBuffer.toString('base64url')) {
+      if (ath !== accessTokenHash.toString('base64url')) {
-        throw new InvalidDpopProofError('DPoP ath mismatch')
+        throw newInvalidDpopProofError('DPoP "ath" mismatch')
       }
-    } else if (payload['ath']) {
+    } else if (ath !== undefined) {
-      throw new InvalidDpopProofError('DPoP ath not allowed')
+      throw newInvalidDpopProofError('DPoP "ath" claim not allowed')
     }
 
-    try {
+    // @NOTE we can assert there is a jwk because the jwtVerify used the
-      return {
+    // EmbeddedJWK key getter mechanism.
-        protectedHeader,
+    const jwk = protectedHeader.jwk!
-        payload,
+    const jkt = await calculateJwkThumbprint(jwk, 'sha256').catch((err) => {
-        jkt: await calculateJwkThumbprint(protectedHeader['jwk']!, 'sha256'), // EmbeddedJWK
+      throw newInvalidDpopProofError('Failed to calculate jkt', err)
-      }
+    })
-    } catch (err) {
+
-      const message =
+    return { jti, jkt, htm, htu }
-        err instanceof JOSEError ? err.message : 'Failed to calculate jkt'
+  }
-      throw new InvalidDpopProofError(message, err)
+}
-    }
+
+function extractProof(
+  httpHeaders: Record<string, undefined | string | string[]>,
+): string | null {
+  const dpopHeader = httpHeaders['dpop']
+  switch (typeof dpopHeader) {
+    case 'string':
+      if (dpopHeader) return dpopHeader
+      throw newInvalidDpopProofError('DPoP header cannot be empty')
+    case 'object':
+      // @NOTE the "0" case should never happen a node.js HTTP server will only
+      // return an array if the header is set multiple times.
+      if (dpopHeader.length === 1 && dpopHeader[0]) return dpopHeader[0]!
+      throw newInvalidDpopProofError('DPoP header must contain a single proof')
+    default:
+      return null
   }
 }
 
 /**
- * @note
+ * Constructs the HTTP URI (htu) claim as defined in RFC9449.
- * > The htu claim matches the HTTP URI value for the HTTP request in which the
- * > JWT was received, ignoring any query and fragment parts.
  *
- * > To reduce the likelihood of false negatives, servers SHOULD employ
+ * The htu claim is the normalized URL of the HTTP request, excluding the query
- * > syntax-based normalization (Section 6.2.2 of [RFC3986]) and scheme-based
+ * string and fragment. This function ensures that the URL is normalized by
- * > normalization (Section 6.2.3 of [RFC3986]) before comparing the htu claim.
+ * removing the search and hash components, as well as by using an URL object to
- * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3 | RFC9449 section 4.3. Checking DPoP Proofs}
+ * simplify the pathname (e.g. removing dot segments).
+ *
+ * @returns The normalized URL as a string.
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc9449#section-4.3}
  */
-function normalizeHtu(htu: unknown): string | null {
+function normalizeHtuUrl(url: Readonly<URL>): string {
-  // Optimization
+  // NodeJS's `URL` normalizes the pathname, so we can just use that.
-  if (!htu) return null
+  return url.origin + url.pathname
-
+}
-  try {
+
-    const url = new URL(String(htu))
+function parseHtu(htu: string): string {
-    url.hash = ''
+  const url = ifURL(htu)
-    url.search = ''
+  if (!url) {
-    return url.href
+    throw newInvalidDpopProofError('DPoP "htu" is not a valid URL')
-  } catch {
+  }
-    return null
+
-  }
+  // @NOTE the checks bellow can be removed once once jwtPayloadSchema is used
+  // to validate the DPoP proof payload as it already performs these checks
+  // (though the htuSchema).
+
+  if (url.password || url.username) {
+    throw newInvalidDpopProofError('DPoP "htu" must not contain credentials')
+  }
+
+  if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+    throw newInvalidDpopProofError('DPoP "htu" must be http or https')
+  }
+
+  // @NOTE For legacy & backwards compatibility reason, we allow a query and
+  // fragment in the DPoP proof's htu. This is not a standard behavior as the
+  // htu is not supposed to contain query or fragment.
+
+  // NodeJS's `URL` normalizes the pathname.
+  return normalizeHtuUrl(url)
+}
+
+function newInvalidDpopProofError(
+  title: string,
+  err?: unknown,
+): InvalidDpopProofError {
+  const msg =
+    err instanceof JOSEError || err instanceof ValidationError
+      ? `${title}: ${err.message}`
+      : title
+  return new InvalidDpopProofError(msg, err)
 }

packages/oauth/oauth-provider/src/dpop/dpop-proof.ts

@@ -0,0 +1,6 @@
+export type DpopProof = {
+  jti: string
+  jkt: string
+  htm: string
+  htu: string
+}

packages/oauth/oauth-provider/src/lib/util/authorization-header.ts

@@ -11,8 +11,8 @@ export const authorizationHeaderSchema = z.tuple([
   oauthAccessTokenSchema,
 ])
 
-export const parseAuthorizationHeader = (header?: string) => {
+export const parseAuthorizationHeader = (header: unknown) => {
-  if (header == null) {
+  if (typeof header !== 'string') {
     throw new WWWAuthenticateError(
       'invalid_request',
       'Authorization header required',

packages/oauth/oauth-provider/src/lib/util/cast.ts

@@ -2,3 +2,17 @@ export function asArray<T>(value: T | T[]): T[] {
   if (value == null) return []
   return Array.isArray(value) ? value : [value]
 }
+
+export function asURL(value: string | { toString: () => string }): URL {
+  return new URL(value)
+}
+
+export function ifURL(
+  value: string | { toString: () => string },
+): URL | undefined {
+  try {
+    return asURL(value)
+  } catch {
+    return undefined
+  }
+}

packages/oauth/oauth-provider/src/oauth-provider.ts

@@ -69,7 +69,11 @@ import { LocalizedString, MultiLangString } from './lib/util/locale.js'
 import { extractZodErrorMessage } from './lib/util/zod-error.js'
 import { CustomMetadata, buildMetadata } from './metadata/build-metadata.js'
 import { OAuthHooks } from './oauth-hooks.js'
-import { OAuthVerifier, OAuthVerifierOptions } from './oauth-verifier.js'
+import {
+  DpopProof,
+  OAuthVerifier,
+  OAuthVerifierOptions,
+} from './oauth-verifier.js'
 import { ReplayStore, ifReplayStore } from './replay/replay-store.js'
 import { codeSchema } from './request/code.js'
 import { RequestInfo } from './request/request-info.js'
@@ -458,7 +462,7 @@ export class OAuthProvider extends OAuthVerifier {
   public async pushedAuthorizationRequest(
     credentials: OAuthClientCredentials,
     authorizationRequest: OAuthAuthorizationRequestPar,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<OAuthParResponse> {
     try {
       const [client, clientAuth] = await this.authenticateClient(credentials)
@@ -474,7 +478,7 @@ export class OAuthProvider extends OAuthVerifier {
           clientAuth,
           parameters,
           null,
-          dpopJkt,
+          dpopProof,
         )
 
       return {
@@ -717,7 +721,7 @@ export class OAuthProvider extends OAuthVerifier {
     clientCredentials: OAuthClientCredentials,
     clientMetadata: RequestMetadata,
     request: OAuthTokenRequest,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
     const [client, clientAuth] =
       await this.authenticateClient(clientCredentials)
@@ -740,7 +744,7 @@ export class OAuthProvider extends OAuthVerifier {
         clientAuth,
         clientMetadata,
         request,
-        dpopJkt,
+        dpopProof,
       )
     }
 
@@ -750,7 +754,7 @@ export class OAuthProvider extends OAuthVerifier {
         clientAuth,
         clientMetadata,
         request,
-        dpopJkt,
+        dpopProof,
       )
     }
 
@@ -764,7 +768,7 @@ export class OAuthProvider extends OAuthVerifier {
     clientAuth: ClientAuth,
     clientMetadata: RequestMetadata,
     input: OAuthAuthorizationCodeGrantTokenRequest,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
     const code = codeSchema.parse(input.code)
     try {
@@ -807,7 +811,7 @@ export class OAuthProvider extends OAuthVerifier {
         deviceId,
         parameters,
         input,
-        dpopJkt,
+        dpopProof,
       )
     } catch (err) {
       // If a token is replayed, requestManager.findCode will throw. In that
@@ -835,14 +839,14 @@ export class OAuthProvider extends OAuthVerifier {
     clientAuth: ClientAuth,
     clientMetadata: RequestMetadata,
     input: OAuthRefreshTokenGrantTokenRequest,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
     return this.tokenManager.refresh(
       client,
       clientAuth,
       clientMetadata,
       input,
-      dpopJkt,
+      dpopProof,
     )
   }
 
@@ -874,24 +878,24 @@ export class OAuthProvider extends OAuthVerifier {
   protected override async verifyToken(
     tokenType: OAuthTokenType,
     token: OAuthAccessToken,
-    dpopJkt: string | null,
+    dpopProof: null | DpopProof,
     verifyOptions?: VerifyTokenClaimsOptions,
   ): Promise<VerifyTokenClaimsResult> {
     if (this.accessTokenMode === AccessTokenMode.stateless) {
-      return super.verifyToken(tokenType, token, dpopJkt, verifyOptions)
+      return super.verifyToken(tokenType, token, dpopProof, verifyOptions)
     }
 
     if (this.accessTokenMode === AccessTokenMode.light) {
-      const { claims } = await super.verifyToken(
+      const { tokenClaims } = await super.verifyToken(
         tokenType,
         token,
-        dpopJkt,
+        dpopProof,
         // Do not verify the scope and audience in case of "light" tokens.
         // these will be checked through the tokenManager hereafter.
         undefined,
       )
 
-      const tokenId = claims.jti
+      const tokenId = tokenClaims.jti
 
       // In addition to verifying the signature (through the verifier above), we
       // also verify the tokenId is still valid using a database to fetch
@@ -900,7 +904,7 @@ export class OAuthProvider extends OAuthVerifier {
         token,
         tokenType,
         tokenId,
-        dpopJkt,
+        dpopProof,
         verifyOptions,
       )
     }

packages/oauth/oauth-provider/src/oauth-verifier.ts

@@ -8,6 +8,7 @@ import {
 } from '@atproto/oauth-types'
 import { DpopManager, DpopManagerOptions } from './dpop/dpop-manager.js'
 import { DpopNonce } from './dpop/dpop-nonce.js'
+import { DpopProof } from './dpop/dpop-proof.js'
 import { InvalidDpopProofError } from './errors/invalid-dpop-proof-error.js'
 import { InvalidTokenError } from './errors/invalid-token-error.js'
 import { UseDpopNonceError } from './errors/use-dpop-nonce-error.js'
@@ -50,7 +51,7 @@ export type OAuthVerifierOptions = Override<
 >
 
 export { DpopNonce, Key, Keyset }
-export type { RedisOptions, ReplayStore, VerifyTokenClaimsOptions }
+export type { DpopProof, RedisOptions, ReplayStore, VerifyTokenClaimsOptions }
 
 export class OAuthVerifier {
   public readonly issuer: OAuthIssuerIdentifier
@@ -95,30 +96,30 @@ export class OAuthVerifier {
   }
 
   public async checkDpopProof(
-    proof: unknown,
+    httpMethod: string,
-    htm: string,
+    httpUrl: Readonly<URL>,
-    htu: string | URL,
+    httpHeaders: Record<string, undefined | string | string[]>,
     accessToken?: string,
-  ): Promise<string | null> {
+  ): Promise<null | DpopProof> {
-    if (proof === undefined) return null
+    const dpopProof = await this.dpopManager.checkProof(
-
+      httpMethod,
-    const { payload, jkt } = await this.dpopManager.checkProof(
+      httpUrl,
-      proof,
+      httpHeaders,
-      htm,
-      htu,
       accessToken,
     )
 
-    const unique = await this.replayManager.uniqueDpop(payload.jti)
+    if (dpopProof) {
-    if (!unique) throw new InvalidDpopProofError('DPoP proof jti is not unique')
+      const unique = await this.replayManager.uniqueDpop(dpopProof.jti)
+      if (!unique) throw new InvalidDpopProofError('DPoP proof replayed')
+    }
 
-    return jkt
+    return dpopProof
   }
 
   protected async verifyToken(
     tokenType: OAuthTokenType,
     token: OAuthAccessToken,
-    dpopJkt: string | null,
+    dpopProof: null | DpopProof,
     verifyOptions?: VerifyTokenClaimsOptions,
   ): Promise<VerifyTokenClaimsResult> {
     if (!isSignedJwt(token)) {
@@ -135,35 +136,37 @@ export class OAuthVerifier {
       token,
       payload.jti,
       tokenType,
-      dpopJkt,
       payload,
+      dpopProof,
       verifyOptions,
     )
   }
 
   public async authenticateRequest(
-    method: string,
+    httpMethod: string,
-    url: URL,
+    httpUrl: Readonly<URL>,
-    headers: {
+    httpHeaders: Record<string, undefined | string | string[]>,
-      authorization?: string
-      dpop?: unknown
-    },
     verifyOptions?: VerifyTokenClaimsOptions,
-  ) {
+  ): Promise<VerifyTokenClaimsResult> {
-    const [tokenType, token] = parseAuthorizationHeader(headers.authorization)
+    const [tokenType, token] = parseAuthorizationHeader(
+      httpHeaders['authorization'],
+    )
     try {
-      const dpopJkt = await this.checkDpopProof(
+      const dpopProof = await this.checkDpopProof(
-        headers.dpop,
+        httpMethod,
-        method,
+        httpUrl,
-        url,
+        httpHeaders,
         token,
       )
 
-      if (tokenType === 'DPoP' && !dpopJkt) {
+      const tokenResult = await this.verifyToken(
-        throw new InvalidDpopProofError(`DPoP proof required`)
+        tokenType,
-      }
+        token,
+        dpopProof,
+        verifyOptions,
+      )
 
-      return await this.verifyToken(tokenType, token, dpopJkt, verifyOptions)
+      return tokenResult
     } catch (err) {
       if (err instanceof UseDpopNonceError) throw err.toWwwAuthenticateError()
       if (err instanceof WWWAuthenticateError) throw err

packages/oauth/oauth-provider/src/request/request-manager.ts

@@ -16,6 +16,8 @@ import { DeviceId } from '../device/device-id.js'
 import { AccessDeniedError } from '../errors/access-denied-error.js'
 import { ConsentRequiredError } from '../errors/consent-required-error.js'
 import { InvalidAuthorizationDetailsError } from '../errors/invalid-authorization-details-error.js'
+import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-error.js'
+import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { InvalidGrantError } from '../errors/invalid-grant-error.js'
 import { InvalidParametersError } from '../errors/invalid-parameters-error.js'
 import { InvalidRequestError } from '../errors/invalid-request-error.js'
@@ -23,6 +25,7 @@ import { InvalidScopeError } from '../errors/invalid-scope-error.js'
 import { RequestMetadata } from '../lib/http/request.js'
 import { callAsync } from '../lib/util/function.js'
 import { OAuthHooks } from '../oauth-hooks.js'
+import { DpopProof } from '../oauth-verifier.js'
 import { Signer } from '../signer/signer.js'
 import { Code, generateCode } from './code.js'
 import {
@@ -56,9 +59,9 @@ export class RequestManager {
     clientAuth: ClientAuth,
     input: Readonly<OAuthAuthorizationRequestParameters>,
     deviceId: null | DeviceId,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<RequestInfo> {
-    const parameters = await this.validate(client, clientAuth, input, dpopJkt)
+    const parameters = await this.validate(client, clientAuth, input, dpopProof)
     return this.create(client, clientAuth, parameters, deviceId)
   }
 
@@ -89,7 +92,7 @@ export class RequestManager {
     client: Client,
     clientAuth: ClientAuth,
     parameters: Readonly<OAuthAuthorizationRequestParameters>,
-    dpop_jkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<Readonly<OAuthAuthorizationRequestParameters>> {
     // -------------------------------
     // Validate unsupported parameters
@@ -196,12 +199,11 @@ export class RequestManager {
 
     // https://datatracker.ietf.org/doc/html/rfc9449#section-10
     if (!parameters.dpop_jkt) {
-      if (dpop_jkt) parameters = { ...parameters, dpop_jkt }
+      if (dpopProof) parameters = { ...parameters, dpop_jkt: dpopProof.jkt }
-    } else if (parameters.dpop_jkt !== dpop_jkt) {
+    } else if (!dpopProof) {
-      throw new InvalidParametersError(
+      throw new InvalidDpopProofError('DPoP proof required')
-        parameters,
+    } else if (parameters.dpop_jkt !== dpopProof.jkt) {
-        '"dpop_jkt" parameters does not match the DPoP proof',
+      throw new InvalidDpopKeyBindingError()
-      )
     }
 
     if (clientAuth.method === CLIENT_ASSERTION_TYPE_JWT_BEARER) {

packages/oauth/oauth-provider/src/router/create-oauth-middleware.ts

@@ -101,16 +101,16 @@ export function createOAuthMiddleware<
         .parseAsync(payload, { path: ['body'] })
         .catch(throwInvalidRequest)
 
-      const dpopJkt = await server.checkDpopProof(
+      const dpopProof = await server.checkDpopProof(
-        req.headers['dpop'],
         req.method!,
         this.url,
+        req.headers,
       )
 
       return server.pushedAuthorizationRequest(
         credentials,
         authorizationRequest,
-        dpopJkt,
+        dpopProof,
       )
     }, 201),
   )
@@ -138,17 +138,17 @@ export function createOAuthMiddleware<
         .parseAsync(payload, { path: ['body'] })
         .catch(throwInvalidGrant)
 
-      const dpopJkt = await server.checkDpopProof(
+      const dpopProof = await server.checkDpopProof(
-        req.headers['dpop'],
         req.method!,
         this.url,
+        req.headers,
       )
 
       return server.token(
         clientCredentials,
         clientMetadata,
         tokenRequest,
-        dpopJkt,
+        dpopProof,
       )
     }),
   )

packages/oauth/oauth-provider/src/token/token-manager.ts

@@ -32,6 +32,7 @@ import { RequestMetadata } from '../lib/http/request.js'
 import { dateToEpoch, dateToRelativeSeconds } from '../lib/util/date.js'
 import { callAsync } from '../lib/util/function.js'
 import { OAuthHooks } from '../oauth-hooks.js'
+import { DpopProof } from '../oauth-verifier.js'
 import { Sub } from '../oidc/sub.js'
 import { Code, isCode } from '../request/code.js'
 import { SignedTokenPayload } from '../signer/signed-token-payload.js'
@@ -104,12 +105,12 @@ export class TokenManager {
       | OAuthAuthorizationCodeGrantTokenRequest
       | OAuthClientCredentialsGrantTokenRequest
       | OAuthPasswordGrantTokenRequest,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
     // @NOTE the atproto specific DPoP requirement is enforced though the
     // "dpop_bound_access_tokens" metadata, which is enforced by the
     // ClientManager class.
-    if (client.metadata.dpop_bound_access_tokens && !dpopJkt) {
+    if (client.metadata.dpop_bound_access_tokens && !dpopProof) {
       throw new InvalidDpopProofError('DPoP proof required')
     }
 
@@ -117,8 +118,10 @@ export class TokenManager {
       // Allow clients to bind their access tokens to a DPoP key during
       // token request if they didn't provide a "dpop_jkt" during the
       // authorization request.
-      if (dpopJkt) parameters = { ...parameters, dpop_jkt: dpopJkt }
+      if (dpopProof) parameters = { ...parameters, dpop_jkt: dpopProof.jkt }
-    } else if (parameters.dpop_jkt !== dpopJkt) {
+    } else if (!dpopProof) {
+      throw new InvalidDpopProofError('DPoP proof required')
+    } else if (parameters.dpop_jkt !== dpopProof.jkt) {
       throw new InvalidDpopKeyBindingError()
     }
 
@@ -347,7 +350,7 @@ export class TokenManager {
     clientAuth: ClientAuth,
     clientMetadata: RequestMetadata,
     input: OAuthRefreshTokenGrantTokenRequest,
-    dpopJkt: null | string,
+    dpopProof: null | DpopProof,
   ): Promise<OAuthTokenResponse> {
     const refreshTokenParsed = refreshTokenSchema.safeParse(input.refresh_token)
     if (!refreshTokenParsed.success) {
@@ -381,9 +384,9 @@ export class TokenManager {
       }
 
       if (parameters.dpop_jkt) {
-        if (!dpopJkt) {
+        if (!dpopProof) {
           throw new InvalidDpopProofError('DPoP proof required')
-        } else if (parameters.dpop_jkt !== dpopJkt) {
+        } else if (parameters.dpop_jkt !== dpopProof.jkt) {
           throw new InvalidDpopKeyBindingError()
         }
       }
@@ -531,7 +534,7 @@ export class TokenManager {
     token: OAuthAccessToken,
     tokenType: OAuthTokenType,
     tokenId: TokenId,
-    dpopJkt: string | null,
+    dpopProof: null | DpopProof,
     verifyOptions?: VerifyTokenClaimsOptions,
   ): Promise<VerifyTokenClaimsResult> {
     const tokenInfo = await this.getTokenInfo(tokenId).catch((err) => {
@@ -547,7 +550,7 @@ export class TokenManager {
     const { parameters } = data
 
     // Construct a list of claim, as if the token was a JWT.
-    const claims: SignedTokenPayload = {
+    const tokenClaims: SignedTokenPayload = {
       iss: this.signer.issuer,
       jti: tokenId,
       sub: account.sub,
@@ -566,8 +569,8 @@ export class TokenManager {
       token,
       tokenId,
       tokenType,
-      dpopJkt,
+      tokenClaims,
-      claims,
+      dpopProof,
       verifyOptions,
     )
   }

packages/oauth/oauth-provider/src/token/verify-token-claims.ts

@@ -3,9 +3,13 @@ import { InvalidDpopKeyBindingError } from '../errors/invalid-dpop-key-binding-e
 import { InvalidDpopProofError } from '../errors/invalid-dpop-proof-error.js'
 import { asArray } from '../lib/util/cast.js'
 import { InvalidTokenError } from '../oauth-errors.js'
+import { DpopProof } from '../oauth-verifier.js'
 import { SignedTokenPayload } from '../signer/signed-token-payload.js'
 import { TokenId } from './token-id.js'
 
+const BEARER = 'Bearer' satisfies OAuthTokenType
+const DPOP = 'DPoP' satisfies OAuthTokenType
+
 export type VerifyTokenClaimsOptions = {
   /** One of these audience must be included in the token audience(s) */
   audience?: [string, ...string[]]
@@ -17,48 +21,73 @@ export type VerifyTokenClaimsResult = {
   token: OAuthAccessToken
   tokenId: TokenId
   tokenType: OAuthTokenType
-  claims: SignedTokenPayload
+  tokenClaims: SignedTokenPayload
+  dpopProof: null | DpopProof
 }
 
 export function verifyTokenClaims(
   token: OAuthAccessToken,
   tokenId: TokenId,
   tokenType: OAuthTokenType,
-  dpopJkt: string | null,
+  tokenClaims: SignedTokenPayload,
-  claims: SignedTokenPayload,
+  dpopProof: null | DpopProof,
   options?: VerifyTokenClaimsOptions,
 ): VerifyTokenClaimsResult {
   const dateReference = Date.now()
-  const claimsJkt = claims.cnf?.jkt ?? null
 
-  const expectedTokenType: OAuthTokenType = claimsJkt ? 'DPoP' : 'Bearer'
+  if (tokenClaims.cnf?.jkt) {
-  if (expectedTokenType !== tokenType) {
+    // An access token with a cnf.jkt claim must be a DPoP token
-    throw new InvalidTokenError(expectedTokenType, `Invalid token type`)
+    if (tokenType !== DPOP) {
-  }
+      throw new InvalidTokenError(
-  if (tokenType === 'DPoP' && !dpopJkt) {
+        DPOP,
-    throw new InvalidDpopProofError(`jkt is required for DPoP tokens`)
+        `Access token is bound to a DPoP proof, but token type is ${tokenType}`,
-  }
+      )
-  if (claimsJkt !== dpopJkt) {
+    }
-    throw new InvalidDpopKeyBindingError()
+
+    // DPoP token type must be used with a DPoP proof
+    if (!dpopProof) {
+      throw new InvalidDpopProofError(`DPoP proof required`)
+    }
+
+    // DPoP proof must be signed with the key that matches the "cnf" claim
+    if (tokenClaims.cnf.jkt !== dpopProof.jkt) {
+      throw new InvalidDpopKeyBindingError()
+    }
+  } else {
+    // An access token without a cnf.jkt claim must be a Bearer token
+    if (tokenType !== BEARER) {
+      throw new InvalidTokenError(
+        BEARER,
+        `Bearer token type must be used without a DPoP proof`,
+      )
+    }
+
+    // Unexpected DPoP proof received for a Bearer token
+    if (dpopProof) {
+      throw new InvalidTokenError(
+        BEARER,
+        `DPoP proof not expected for Bearer token type`,
+      )
+    }
   }
 
   if (options?.audience) {
-    const aud = asArray(claims.aud)
+    const aud = asArray(tokenClaims.aud)
     if (!options.audience.some((v) => aud.includes(v))) {
       throw new InvalidTokenError(tokenType, `Invalid audience`)
     }
   }
 
   if (options?.scope) {
-    const scopes = claims.scope?.split(' ')
+    const scopes = tokenClaims.scope?.split(' ')
     if (!scopes || !options.scope.some((v) => scopes.includes(v))) {
       throw new InvalidTokenError(tokenType, `Invalid scope`)
     }
   }
 
-  if (claims.exp != null && claims.exp * 1000 <= dateReference) {
+  if (tokenClaims.exp != null && tokenClaims.exp * 1000 <= dateReference) {
     throw new InvalidTokenError(tokenType, `Token expired`)
   }
 
-  return { token, tokenId, tokenType, claims }
+  return { token, tokenId, tokenType, tokenClaims, dpopProof }
 }

packages/pds/src/auth-verifier.ts

@@ -490,19 +490,19 @@ export class AuthVerifier {
       const originalUrl =
         ('originalUrl' in req && req.originalUrl) || req.url || '/'
       const url = new URL(originalUrl, this._publicUrl)
-      const result = await this.oauthVerifier.authenticateRequest(
+      const { tokenClaims } = await this.oauthVerifier.authenticateRequest(
         req.method || 'GET',
         url,
         req.headers,
         { audience: [this.dids.pds] },
       )
 
-      const { sub } = result.claims
+      const { sub } = tokenClaims
       if (typeof sub !== 'string' || !sub.startsWith('did:')) {
         throw new InvalidRequestError('Malformed token', 'InvalidToken')
       }
 
-      const oauthScopes = new Set(result.claims.scope?.split(' '))
+      const oauthScopes = new Set(tokenClaims.scope?.split(' '))
 
       if (!oauthScopes.has('transition:generic')) {
         throw new AuthRequiredError(
@@ -535,7 +535,7 @@ export class AuthVerifier {
       return {
         credentials: {
           type: 'oauth',
-          did: result.claims.sub,
+          did: tokenClaims.sub,
           scope: scopeEquivalent,
           oauthScopes,
           isPrivileged: scopeEquivalent === AuthScope.AppPassPrivileged,