feat(DPoP): add a setting to disable DPoP Proof Replay Detection

docs/README.md

@@ -880,6 +880,7 @@ _**default value**_:
 ```js
 {
   ack: undefined,
+  allowReplay: false,
   enabled: false,
   nonceSecret: undefined,
   requireNonce: [Function: requireNonce] // see expanded details below
@@ -889,6 +890,16 @@ _**default value**_:
 <details><summary>(Click to expand) features.dPoP options details</summary><br>
 
 
+#### allowReplay
+
+Controls whether DPoP Proof Replay Detection is used or not.  
+
+
+_**default value**_:
+```js
+false
+```
+
 #### nonceSecret
 
 A secret value used for generating server-provided DPoP nonces. Must be a 32-byte length Buffer instance when provided.  

lib/actions/authorization/check_dpop_jkt.js

@@ -1,6 +1,7 @@
 import { InvalidRequest } from '../../helpers/errors.js';
 import dpopValidate, { DPOP_OK_WINDOW } from '../../helpers/validate_dpop.js';
 import epochTime from '../../helpers/epoch_time.js';
+import instance from '../../helpers/weak_cache.js';
 
 /*
  * Validates dpop_jkt equals the used DPoP proof thumbprint
@@ -11,14 +12,17 @@ export default async function checkDpopJkt(ctx, next) {
 
   const dPoP = await dpopValidate(ctx);
   if (dPoP) {
-    const { ReplayDetection } = ctx.oidc.provider;
-    const unique = await ReplayDetection.unique(
-      ctx.oidc.client.clientId,
-      dPoP.jti,
-      epochTime() + DPOP_OK_WINDOW,
-    );
+    const allowReplay = instance(ctx.oidc.provider).configuration('features.dPoP.allowReplay');
+    if (!allowReplay) {
+      const { ReplayDetection } = ctx.oidc.provider;
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + DPOP_OK_WINDOW,
+      );
 
-    ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+      ctx.assert(unique, new InvalidRequest('DPoP proof JWT Replay detected'));
+    }
 
     if (params.dpop_jkt && params.dpop_jkt !== dPoP.thumbprint) {
       throw new InvalidRequest('DPoP proof key thumbprint does not match dpop_jkt');

lib/actions/grants/authorization_code.js

@@ -19,6 +19,7 @@ export const handler = async function authorizationCodeHandler(ctx, next) {
       userinfo,
       mTLS: { getCertificate },
       resourceIndicators,
+      dPoP: { allowReplay },
     },
   } = instance(ctx.oidc.provider).configuration();
 
@@ -129,13 +130,15 @@ export const handler = async function authorizationCodeHandler(ctx, next) {
   }
 
   if (dPoP) {
-    const unique = await ReplayDetection.unique(
-      ctx.oidc.client.clientId,
-      dPoP.jti,
-      epochTime() + DPOP_OK_WINDOW,
-    );
-
-    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    if (!allowReplay) {
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + DPOP_OK_WINDOW,
+      );
+
+      ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    }
 
     if (code.dpopJkt && code.dpopJkt !== dPoP.thumbprint) {
       throw new InvalidGrant('DPoP proof key thumbprint does not match dpop_jkt');

lib/actions/grants/ciba.js

@@ -26,6 +26,7 @@ export const handler = async function cibaHandler(ctx, next) {
     features: {
       userinfo,
       mTLS: { getCertificate },
+      dPoP: { allowReplay },
       resourceIndicators,
     },
   } = instance(ctx.oidc.provider).configuration();
@@ -130,13 +131,15 @@ export const handler = async function cibaHandler(ctx, next) {
   }
 
   if (dPoP) {
-    const unique = await ReplayDetection.unique(
-      ctx.oidc.client.clientId,
-      dPoP.jti,
-      epochTime() + DPOP_OK_WINDOW,
-    );
-
-    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    if (!allowReplay) {
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + DPOP_OK_WINDOW,
+      );
+
+      ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    }
 
     at.setThumbprint('jkt', dPoP.thumbprint);
   }

lib/actions/grants/client_credentials.js

@@ -10,6 +10,7 @@ export const handler = async function clientCredentialsHandler(ctx, next) {
   const {
     features: {
       mTLS: { getCertificate },
+      dPoP: { allowReplay },
     },
     scopes: statics,
   } = instance(ctx.oidc.provider).configuration();
@@ -54,13 +55,15 @@ export const handler = async function clientCredentialsHandler(ctx, next) {
   }
 
   if (dPoP) {
-    const unique = await ReplayDetection.unique(
-      client.clientId,
-      dPoP.jti,
-      epochTime() + DPOP_OK_WINDOW,
-    );
-
-    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    if (!allowReplay) {
+      const unique = await ReplayDetection.unique(
+        client.clientId,
+        dPoP.jti,
+        epochTime() + DPOP_OK_WINDOW,
+      );
+
+      ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    }
 
     token.setThumbprint('jkt', dPoP.thumbprint);
   } else if (ctx.oidc.client.dpopBoundAccessTokens) {

lib/actions/grants/device_code.js

@@ -26,6 +26,7 @@ export const handler = async function deviceCodeHandler(ctx, next) {
     features: {
       userinfo,
       mTLS: { getCertificate },
+      dPoP: { allowReplay },
       resourceIndicators,
     },
   } = instance(ctx.oidc.provider).configuration();
@@ -129,13 +130,15 @@ export const handler = async function deviceCodeHandler(ctx, next) {
   }
 
   if (dPoP) {
-    const unique = await ReplayDetection.unique(
-      ctx.oidc.client.clientId,
-      dPoP.jti,
-      epochTime() + DPOP_OK_WINDOW,
-    );
-
-    ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    if (!allowReplay) {
+      const unique = await ReplayDetection.unique(
+        ctx.oidc.client.clientId,
+        dPoP.jti,
+        epochTime() + DPOP_OK_WINDOW,
+      );
+
+      ctx.assert(unique, new InvalidGrant('DPoP proof JWT Replay detected'));
+    }
 
     at.setThumbprint('jkt', dPoP.thumbprint);
   }

lib/actions/grants/refresh_token.js

@@ -23,6 +23,7 @@ export const handler = async function refreshTokenHandler(ctx, next) {
     features: {
       userinfo,
       mTLS: { getCertificate },
+      dPoP: { allowReplay },
       resourceIndicators,
     },
   } = conf;
@@ -89,7 +90,7 @@ export const handler = async function refreshTokenHandler(ctx, next) {
     }
   }
 
-  if (dPoP) {
+  if (dPoP && !allowReplay) {
     const unique = await ReplayDetection.unique(
       client.clientId,
       dPoP.jti,

lib/actions/userinfo.js

@@ -86,13 +86,17 @@ export default [
     }
 
     if (dPoP) {
-      const unique = await ctx.oidc.provider.ReplayDetection.unique(
-        accessToken.clientId,
-        dPoP.jti,
-        epochTime() + DPOP_OK_WINDOW,
-      );
+      const allowReplay = instance(ctx.oidc.provider).configuration('features.dPoP.allowReplay');
+
+      if (!allowReplay) {
+        const unique = await ctx.oidc.provider.ReplayDetection.unique(
+          accessToken.clientId,
+          dPoP.jti,
+          epochTime() + DPOP_OK_WINDOW,
+        );
 
-      ctx.assert(unique, new InvalidToken('DPoP proof JWT Replay detected'));
+        ctx.assert(unique, new InvalidToken('DPoP proof JWT Replay detected'));
+      }
     }
 
     if (accessToken.jkt && (!dPoP || accessToken.jkt !== dPoP.thumbprint)) {

lib/helpers/defaults.js

@@ -1005,6 +1005,12 @@ function makeDefaults() {
          * description: Function used to determine whether a DPoP nonce is required or not.
          */
         requireNonce,
+        /**
+         * features.dPoP.allowReplay
+         *
+         * description: Controls whether DPoP Proof Replay Detection is used or not.
+         */
+        allowReplay: false,
       },
 
       /*