From c4a00376da7a0892669d0311409e04ba95d55705 Mon Sep 17 00:00:00 2001
From: Arvind Krishnakumar
 <61501885+arvindkrishnakumar-okta@users.noreply.github.com>
Date: Tue, 3 Sep 2024 09:41:46 -0500
Subject: [PATCH] Fix DPoPInterceptor when called after retry (#1536) (#1552)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Clément Denis <clement.denis@gmail.com>
---
 .../main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java b/impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java
index 57e9e4189ea..d1860d3d62a 100644
--- a/impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java
+++ b/impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java
@@ -115,7 +115,8 @@ private void processRequest(HttpRequest request, boolean tokenRequest) {
         Header authorization = request.getFirstHeader("Authorization");
         if (authorization != null) {
             //already authenticated, need to replace Authorization header prefix and set ath claim
-            String token = authorization.getValue().replaceFirst("^Bearer ", "");
+            //the DPoP prefix might already be set if the request is retried
+            String token = StringUtils.substringAfter(authorization.getValue(), " ");
             request.setHeader("Authorization", DPOP_HEADER + " " + token);
             byte[] ath = SHA256.digest(token.getBytes(StandardCharsets.US_ASCII));
             builder.claim("ath", Encoders.BASE64URL.encode(ath));