Optional
enabledEnables DPoP support.
When enabled: true
:
Authorization: DPoP …
plus a DPoP
proof header), and the middleware will validate proofs.When enabled: false
:
cnf
claim is ignored).DPoP
proof header is ignored.true
// Accept both Bearer and DPoP (default):
auth({ dpop: { enabled: true, required: false } })
// Bearer-only (DPoP disabled):
auth({ dpop: { enabled: false } })
Optional
iatAllowed clock skew (in seconds) for future-dated iat
values.
Some clients have slightly skewed clocks; a small positive leeway prevents valid proofs
from being rejected when iat
appears a bit in the future.
This is applied only when enabled: true
and a DPoP proof is present.
30 // 30 seconds
// Allow up to 60 seconds of client/server clock skew
auth({ dpop: { enabled: true, iatLeeway: 60 } })
Optional
iatMaximum accepted age (in seconds) for a DPoP proof’s iat
claim.
Proofs older than iatOffset
(relative to current server time) are rejected.
This is applied only when enabled: true
and a DPoP proof is present.
300 // 5 minutes
// Reject proofs older than 2 minutes
auth({ dpop: { enabled: true, iatOffset: 120 } })
Optional
requiredRequires DPoP tokens exclusively when DPoP is enabled.
When enabled: true
and required: true
:
When enabled: false
:
false
// DPoP-only:
auth({ dpop: { enabled: true, required: true } })
Options that control Demonstration of Proof-of-Possession (DPoP) handling.
Remarks
DPoP (RFC 9449) is an application-level mechanism to sender-constrain OAuth 2.0 access/refresh tokens by proving possession of a private key. This SDK supports validating DPoP proofs on incoming requests when enabled.
Behavior matrix:
Default (
{ enabled: true, required: false }
):Accepts both Bearer and DPoP, validating the DPoP proof when present.
Bearer-only (
{ enabled: false, required: false }
):Rejects any non-Bearer scheme tokens (including those using the DPoP scheme), accepts DPoP-bound tokens over Bearer (ignoring
cnf
), and ignores any DPoP proof headers if present.Misconfiguration (
{ enabled: false, required: true }
):This configuration is invalid. DPoP is disabled, and the SDK cannot be used with this setting.
DPoP-only (
{ enabled: true, required: true }
):Accepts only tokens using the DPoP scheme, validates the associated DPoP proof, and rejects any token using a different (non-DPoP) scheme.
Proof timing:
iatOffset
bounds how far in the past a proof’siat
may be (replay window).iatLeeway
allows limited clock skew for proofs that appear slightly in the future.Note: This SDK uses
req.protocol
andreq.host
to construct/validate the DPoPhtu
. If your app runs behind a reverse proxy (Nginx, Cloudflare, etc.), enable Express proxy trust to ensure correct values:See
https://www.rfc-editor.org/rfc/rfc9449