feat: adds dpopOtions.allowBearerTokens configuration (#1584)

OKTA-909903 feat: adds dpopOptions.allowBearerTokens config

Author: jaredperreault-okta

CHANGELOG.md

@@ -8,6 +8,8 @@
   - A [`Cross-Origin-Opener-Policy`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) resilient method of acquiring tokens using via external IDPs.
   - See [documentation](https://github.com/okta/okta-auth-js?tab=readme-ov-file#tokengetwithidppopupoptions) for more detailed explanation
 
+- [#1584](https://github.com/okta/okta-auth-js/pull/1584) feat: adds `dpopOptions.allowBearerTokens` configuration
+
 # 7.11.3
 
 ### Fixes

README.md

@@ -415,6 +415,10 @@ const config = {
   // other configurations
   pkce: true,     // required
   dpop: true,
+  dpopOptions: {
+    // set to `true` to skip the validation to check the resulting token response includes `token_type: DPoP`
+    allowBearerTokens: false    // defaults to `false`, tokens are validated to include `token_type: DPoP`
+  }
 };
 
 const authClient = new OktaAuth(config);
@@ -575,6 +579,20 @@ Default value is `false`. Set to `true` to enable `DPoP` (Demonstrating Proof-of
 
 See Guide: [Enabling DPoP](#enabling-dpop)
 
+#### `dpopOptions`
+
+Default value:
+```javascript
+dpopOptions: {
+  allowBearerTokens: false
+}
+```
+
+See Guide: [Enabling DPoP](#enabling-dpop)
+
+#### `dpopOptions.allowBearerTokens`
+
+When `false`, dpop-enabled token requests are validated to contain `token_type: DPoP` and will throw otherwise. Set to `true` to skip this validation and allow `Bearer` tokens as a possible `token_type`. This can be useful during a migration, to avoid needing to update a web application simutaneously with Okta Org configurations. Defaults to `false`
 
 #### responseMode
 

lib/oidc/handleOAuthResponse.ts

@@ -39,12 +39,6 @@ function validateResponse(res: OAuthResponse, oauthParams: TokenParams) {
   if (res.state !== oauthParams.state) {
     throw new AuthSdkError('OAuth flow response state doesn\'t match request state');
   }
-
-  // https://datatracker.ietf.org/doc/html/rfc9449#token-response
-  // "A token_type of DPoP MUST be included in the access token response to signal to the client"
-  if (oauthParams.dpop && res.token_type !== 'DPoP') {
-    throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
-  }
 }
 
 export async function handleOAuthResponse(
@@ -83,6 +77,16 @@ export async function handleOAuthResponse(
   // Handling the result from implicit flow or PKCE token exchange
   validateResponse(res, tokenParams);
 
+  if (tokenParams.dpop) {
+    const { allowBearerTokens } = sdk.options?.dpopOptions ?? { allowBearerTokens: false };
+
+    // https://datatracker.ietf.org/doc/html/rfc9449#token-response
+    // "A token_type of DPoP MUST be included in the access token response to signal to the client"
+    if (!allowBearerTokens && res.token_type !== 'DPoP') {
+      throw new AuthSdkError('Unable to parse OAuth flow response: DPoP was configured but "token_type" was not DPoP');
+    }
+  }
+
   const tokenDict = {} as Tokens;
   const expiresIn = res.expires_in;
   const tokenType = res.token_type;

lib/oidc/options/OAuthOptionsConstructor.ts

@@ -21,7 +21,8 @@ import {
   OktaAuthOAuthOptions,
   SetLocationFunction,
   TokenManagerOptions,
-  TransactionManagerOptions
+  TransactionManagerOptions,
+  DPoPOptions
 } from '../types';
 import { enableSharedStorage } from './node';
 import AuthSdkError from '../../errors/AuthSdkError';
@@ -82,6 +83,7 @@ export function createOAuthOptionsConstructor() {
     acrValues: string;
     maxAge: string | number;
     dpop: boolean;
+    dpopOptions: DPoPOptions;
 
     // Additional options
     tokenManager: TokenManagerOptions;
@@ -128,6 +130,10 @@ export function createOAuthOptionsConstructor() {
       this.acrValues = options.acrValues;
       this.maxAge = options.maxAge;
       this.dpop = options.dpop === true; // dpop defaults to false
+      this.dpopOptions = {
+        allowBearerTokens: false,
+        ...options.dpopOptions,
+      };
 
       this.tokenManager = options.tokenManager;
       this.postLogoutRedirectUri = options.postLogoutRedirectUri;

lib/oidc/types/options.ts

@@ -83,6 +83,10 @@ export interface RenewTokensParams extends TokenParams {
   tokens?: Tokens
 }
 
+export interface DPoPOptions {
+  allowBearerTokens: boolean;
+}
+
 export interface OktaAuthOAuthOptions extends
   OktaAuthHttpOptions,
   CustomUrls,
@@ -108,6 +112,7 @@ export interface OktaAuthOAuthOptions extends
   maxClockSkew?: number;
   restoreOriginalUri?: (oktaAuth: OktaAuthOAuthInterface, originalUri?: string) => Promise<void>;
   dpop?: boolean;
+  dpopOptions?: DPoPOptions;
 
   transactionManager?: TransactionManagerOptions;
 

test/spec/oidc/util/handleOAuthResponse.ts

@@ -222,6 +222,29 @@ describe('handleOAuthResponse', () => {
         }, undefined);
         expect(res).toBe(mockTokens);
       });
+
+      it('allows Bearer tokens to be returned when DPoP token was requested', async () => {
+        sdk = mockOktaAuth({
+          dpopOptions: { allowBearerTokens: true }
+        });
+        const tokenParams: TokenParams = {
+          responseType: ['token', 'id_token', 'refresh_token'],
+          dpop: true,
+          extraParams: { foo: 'bar' }
+        };
+        const oauthRes = { id_token: 'foo', access_token: 'blar', refresh_token: 'bloo', token_type: 'Bearer' };
+        const res = await handleOAuthResponse(sdk, tokenParams, oauthRes, undefined as unknown as CustomUrls);
+        expect(res.tokens).toBeTruthy();
+        expect(res.tokens.accessToken).toBeTruthy();
+        expect(res.tokens.accessToken!.accessToken).toBe('blar');
+        expect(res.tokens.accessToken!.extraParams).toEqual({ foo: 'bar' });
+        expect(res.tokens.idToken).toBeTruthy();
+        expect(res.tokens.idToken!.idToken).toBe('foo');
+        expect(res.tokens.idToken!.extraParams).toEqual({ foo: 'bar' });
+        expect(res.tokens.refreshToken).toBeTruthy();
+        expect(res.tokens.refreshToken!.refreshToken).toBe('bloo');
+        expect(res.tokens.refreshToken!.extraParams).toEqual({ foo: 'bar' });
+      });
     });
 
     describe('Interaction code flow', () => {