@axa-fr/oidc-client 7.4.1 → 7.5.1

package/src/jwt.ts

@@ -0,0 +1,248 @@
+// code base on https://coolaj86.com/articles/sign-jwt-webcrypto-vanilla-js/
+
+// String (UCS-2) to Uint8Array
+//
+// because... JavaScript, Strings, and Buffers
+// @ts-ignore
+function strToUint8(str) {
+    return new TextEncoder().encode(str);
+}
+
+// Binary String to URL-Safe Base64
+//
+// btoa (Binary-to-Ascii) means "binary string" to base64
+// @ts-ignore
+function binToUrlBase64(bin) {
+    return btoa(bin)
+        .replace(/\+/g, '-')
+        .replace(/\//g, '_')
+        .replace(/=+/g, '');
+}
+
+// UTF-8 to Binary String
+//
+// Because JavaScript has a strange relationship with strings
+// https://coolaj86.com/articles/base64-unicode-utf-8-javascript-and-you/
+// @ts-ignore
+function utf8ToBinaryString(str) {
+    const escstr = encodeURIComponent(str);
+    // replaces any uri escape sequence, such as %0A,
+    // with binary escape, such as 0x0A
+    const binstr = escstr.replace(/%([0-9A-F]{2})/g, function (match, p1) {
+        return String.fromCharCode(parseInt(p1, 16));
+    });
+
+    return binstr;
+}
+
+// Uint8Array to URL Safe Base64
+//
+// the shortest distant between two encodings... binary string
+// @ts-ignore
+function uint8ToUrlBase64(uint8) {
+    let bin = '';
+    // @ts-ignore
+    uint8.forEach(function(code) {
+        bin += String.fromCharCode(code);
+    });
+    return binToUrlBase64(bin);
+}
+
+// UCS-2 String to URL-Safe Base64
+//
+// btoa doesn't work on UTF-8 strings
+// @ts-ignore
+function strToUrlBase64(str) {
+    return binToUrlBase64(utf8ToBinaryString(str));
+}
+
+export var JWT = {};
+// @ts-ignore
+JWT.sign = (jwk, headers, claims, jwtHeaderType= 'dpop+jwt') => {
+    // Make a shallow copy of the key
+    // (to set ext if it wasn't already set)
+    jwk = Object.assign({}, jwk);
+
+    // The headers should probably be empty
+    headers.typ = jwtHeaderType;
+    headers.alg = 'ES256';
+    if (!headers.kid) {
+        // alternate: see thumbprint function below
+        headers.jwk = { kty: jwk.kty, crv: jwk.crv, x: jwk.x, y: jwk.y };
+    }
+
+    const jws = {
+        // @ts-ignore
+        // JWT "headers" really means JWS "protected headers"
+        protected: strToUrlBase64(JSON.stringify(headers)),
+        // @ts-ignore
+        // JWT "claims" are really a JSON-defined JWS "payload"
+        payload: strToUrlBase64(JSON.stringify(claims))
+    };
+
+    // To import as EC (ECDSA, P-256, SHA-256, ES256)
+    const keyType = {
+        name: 'ECDSA',
+        namedCurve: 'P-256',
+        hash: {name: 'ES256'}
+    };
+
+    // To make re-exportable as JSON (or DER/PEM)
+    const exportable = true;
+
+    // Import as a private key that isn't black-listed from signing
+    const privileges = ['sign'];
+
+    // Actually do the import, which comes out as an abstract key type
+    // @ts-ignore
+    return window.crypto.subtle
+        // @ts-ignore
+        .importKey('jwk', jwk, keyType, exportable, privileges)
+        .then(function(privateKey) {
+            // Convert UTF-8 to Uint8Array ArrayBuffer
+            // @ts-ignore
+            const data = strToUint8(jws.protected + '.' + jws.payload);
+
+            // The signature and hash should match the bit-entropy of the key
+            // https://tools.ietf.org/html/rfc7518#section-3
+            const signatureType = {name: 'ECDSA', hash: {name: 'SHA-256'}};
+
+            return window.crypto.subtle.sign(signatureType, privateKey, data).then(function(signature) {
+                // returns an ArrayBuffer containing a JOSE (not X509) signature,
+                // which must be converted to Uint8 to be useful
+                // @ts-ignore
+                jws.signature = uint8ToUrlBase64(new Uint8Array(signature));
+
+                // JWT is just a "compressed", "protected" JWS
+                // @ts-ignore
+                return jws.protected + '.' + jws.payload + '.' + jws.signature;
+            });
+        });
+};
+
+
+const EC = {};
+// @ts-ignore
+EC.generate = function() {
+    const keyType = {
+        name: 'ECDSA',
+        namedCurve: 'P-256'
+    };
+    const exportable = true;
+    const privileges = ['sign', 'verify'];
+    // @ts-ignore
+    return window.crypto.subtle.generateKey(keyType, exportable, privileges).then(function(key) {
+        // returns an abstract and opaque WebCrypto object,
+        // which in most cases you'll want to export as JSON to be able to save
+        return window.crypto.subtle.exportKey('jwk', key.privateKey);
+    });
+};
+
+// Create a Public Key from a Private Key
+//
+// chops off the private parts
+// @ts-ignore
+EC.neuter = function(jwk) {
+    const copy = Object.assign({}, jwk);
+    delete copy.d;
+    copy.key_ops = ['verify'];
+    return copy;
+};
+
+export var JWK = {};
+// @ts-ignore
+JWK.thumbprint = function(jwk) {
+    // lexigraphically sorted, no spaces
+    const sortedPub = '{"crv":"CRV","kty":"EC","x":"X","y":"Y"}'
+        .replace('CRV', jwk.crv)
+        .replace('X', jwk.x)
+        .replace('Y', jwk.y);
+
+    // The hash should match the size of the key,
+    // but we're only dealing with P-256
+    return window.crypto.subtle
+        .digest({ name: 'SHA-256' }, strToUint8(sortedPub))
+        .then(function(hash) {
+            return uint8ToUrlBase64(new Uint8Array(hash));
+        });
+};
+
+
+const guid = function () {
+    // RFC4122: The version 4 UUID is meant for generating UUIDs from truly-random or
+    // pseudo-random numbers.
+    // The algorithm is as follows:
+    //     Set the two most significant bits (bits 6 and 7) of the
+    //        clock_seq_hi_and_reserved to zero and one, respectively.
+    //     Set the four most significant bits (bits 12 through 15) of the
+    //        time_hi_and_version field to the 4-bit version number from
+    //        Section 4.1.3. Version4 
+    //     Set all the other bits to randomly (or pseudo-randomly) chosen
+    //     values.
+    // UUID                   = time-low "-" time-mid "-"time-high-and-version "-"clock-seq-reserved and low(2hexOctet)"-" node
+    // time-low               = 4hexOctet
+    // time-mid               = 2hexOctet
+    // time-high-and-version  = 2hexOctet
+    // clock-seq-and-reserved = hexOctet: 
+    // clock-seq-low          = hexOctet
+    // node                   = 6hexOctet
+    // Format: xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx
+    // y could be 1000, 1001, 1010, 1011 since most significant two bits needs to be 10
+    // y values are 8, 9, A, B
+    const guidHolder = 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx';
+    const hex = '0123456789abcdef';
+    let r = 0;
+    let guidResponse = "";
+    for (let i = 0; i < 36; i++) {
+        if (guidHolder[i] !== '-' && guidHolder[i] !== '4') {
+            // each x and y needs to be random
+            r = Math.random() * 16 | 0;
+        }
+
+        if (guidHolder[i] === 'x') {
+            guidResponse += hex[r];
+        } else if (guidHolder[i] === 'y') {
+            // clock-seq-and-reserved first hex is filtered and remaining hex values are random
+            r &= 0x3; // bit and with 0011 to set pos 2 to zero ?0??
+            r |= 0x8; // set pos 3 to 1 as 1???
+            guidResponse += hex[r];
+        } else {
+            guidResponse += guidHolder[i];
+        }
+    }
+
+    return guidResponse;
+};
+
+
+export const generateJwkAsync = () => {
+    // @ts-ignore
+    return EC.generate().then(function(jwk) {
+        // console.info('Private Key:', JSON.stringify(jwk));
+        // @ts-ignore
+        // console.info('Public Key:', JSON.stringify(EC.neuter(jwk)));
+        return jwk;
+    });
+}
+
+export const generateJwtDemonstratingProofOfPossessionAsync = (jwk, method = 'POST', url: string, extrasClaims={}) => {
+
+    const claims = {
+        // https://www.rfc-editor.org/rfc/rfc9449.html#name-concept
+        jit: btoa(guid()),
+        htm: method,
+        htu: url,
+        iat: Math.round(Date.now() / 1000),
+        ...extrasClaims,
+    };
+    // @ts-ignore
+    return JWK.thumbprint(jwk).then(function(kid) {
+        // @ts-ignore
+        return JWT.sign(jwk, { /*kid: kid*/ }, claims).then(function(jwt) {
+            // console.info('JWT:', jwt);
+            return jwt;
+        });
+    });
+}
+
+export default EC;

package/src/login.ts

@@ -1,14 +1,18 @@
-import { generateRandom } from './crypto.js';
-import { eventNames } from './events.js';
-import { initSession } from './initSession.js';
-import { initWorkerAsync } from './initWorker.js';
-import { isTokensOidcValid } from './parseTokens.js';
-import { performAuthorizationRequestAsync, performFirstTokenRequestAsync } from './requests.js';
-import { getParseQueryStringFromLocation } from './route-utils.js';
-import { OidcConfiguration, StringMap } from './types.js';
+import {generateRandom} from './crypto.js';
+import {eventNames} from './events.js';
+import {initSession} from './initSession.js';
+import {initWorkerAsync} from './initWorker.js';
+import {isTokensOidcValid} from './parseTokens.js';
+import {
+    performAuthorizationRequestAsync,
+    performFirstTokenRequestAsync
+} from './requests.js';
+import {getParseQueryStringFromLocation} from './route-utils.js';
+import {OidcConfiguration, StringMap} from './types.js';
+import {generateJwkAsync, generateJwtDemonstratingProofOfPossessionAsync} from "./jwt";
 
 // eslint-disable-next-line @typescript-eslint/ban-types
-export const defaultLoginAsync = (window, configurationName, configuration:OidcConfiguration, publishEvent :(string, any)=>void, initAsync:Function) => (callbackPath:string = undefined, extras:StringMap = null, isSilentSignin = false, scope:string = undefined) => {
+export const defaultLoginAsync = (window, configurationName:string, configuration:OidcConfiguration, publishEvent :(string, any)=>void, initAsync:Function) => (callbackPath:string = undefined, extras:StringMap = null, isSilentSignin = false, scope:string = undefined) => {
     const originExtras = extras;
     extras = { ...extras };
     const loginLocalAsync = async () => {
@@ -42,14 +46,14 @@ export const defaultLoginAsync = (window, configurationName, configuration:OidcC
             const oidcServerConfiguration = await initAsync(configuration.authority, configuration.authority_configuration);
             let storage;
             if (serviceWorker) {
-                serviceWorker.setLoginParams(configurationName, { callbackPath: url, extras: originExtras });
+                serviceWorker.setLoginParams({ callbackPath: url, extras: originExtras });
                 await serviceWorker.initAsync(oidcServerConfiguration, 'loginAsync', configuration);
                 await serviceWorker.setNonceAsync(nonce);
                 serviceWorker.startKeepAliveServiceWorker();
                 storage = serviceWorker;
             } else {
                 const session = initSession(configurationName, configuration.storage ?? sessionStorage);
-                session.setLoginParams(configurationName, { callbackPath: url, extras: originExtras });
+                session.setLoginParams({ callbackPath: url, extras: originExtras });
                 await session.setNonceAsync(nonce);
                 storage = session;
             }
@@ -91,7 +95,7 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
             await serviceWorker.initAsync(oidcServerConfiguration, 'loginCallbackAsync', configuration);
             await serviceWorker.setSessionStateAsync(sessionState);
             nonceData = await serviceWorker.getNonceAsync();
-            getLoginParams = serviceWorker.getLoginParams(oidc.configurationName);
+            getLoginParams = serviceWorker.getLoginParams();
             state = await serviceWorker.getStateAsync();
             serviceWorker.startKeepAliveServiceWorker();
             storage = serviceWorker;
@@ -99,7 +103,7 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
             const session = initSession(oidc.configurationName, configuration.storage ?? sessionStorage);
             await session.setSessionStateAsync(sessionState);
             nonceData = await session.getNonceAsync();
-            getLoginParams = session.getLoginParams(oidc.configurationName);
+            getLoginParams = session.getLoginParams();
             state = await session.getStateAsync();
             storage = session;
         }
@@ -135,8 +139,25 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
                 }
             }
         }
+        
+        const url = oidcServerConfiguration.tokenEndpoint;
+        const headersExtras = {};
+        if(configuration.demonstrating_proof_of_possession) {
+            const jwk = await generateJwkAsync();
+            if (serviceWorker) {
+                await serviceWorker.setDemonstratingProofOfPossessionJwkAsync(jwk);
+            } else {
+                const session = initSession(oidc.configurationName, configuration.storage);
+                await session.setDemonstratingProofOfPossessionJwkAsync(jwk);
+            }
+            headersExtras['DPoP'] = await generateJwtDemonstratingProofOfPossessionAsync(jwk, 'POST', url);
+        }
 
-        const tokenResponse = await performFirstTokenRequestAsync(storage)(oidcServerConfiguration.tokenEndpoint, { ...data, ...extras }, oidc.configuration.token_renew_mode, tokenRequestTimeout);
+        const tokenResponse = await performFirstTokenRequestAsync(storage)(url, 
+            { ...data, ...extras },
+            headersExtras,
+            oidc.configuration.token_renew_mode, 
+            tokenRequestTimeout);
 
         if (!tokenResponse.success) {
             throw new Error('Token request failed');
@@ -144,13 +165,8 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
 
         let loginParams;
         const formattedTokens = tokenResponse.data.tokens;
-        if (serviceWorker) {
-            await serviceWorker.initAsync(redirectUri, 'syncTokensAsync', configuration);
-            loginParams = serviceWorker.getLoginParams(oidc.configurationName);
-        } else {
-            const session = initSession(oidc.configurationName, configuration.storage);
-            loginParams = session.getLoginParams(oidc.configurationName);
-        }
+        const demonstratingProofOfPossessionNonce = tokenResponse.data.demonstratingProofOfPossessionNonce;
+
         // @ts-ignore
         if (tokenResponse.data.state !== extras.state) {
             throw new Error('state is not valid');
@@ -159,6 +175,30 @@ export const loginCallbackAsync = (oidc) => async (isSilentSignin = false) => {
         if (!isValid) {
             throw new Error(`Tokens are not OpenID valid, reason: ${reason}`);
         }
+        
+        if(serviceWorker){
+            if(formattedTokens.refreshToken && !formattedTokens.refreshToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) {
+                throw new Error("Refresh token should be hidden by service worker");
+            }
+
+            if(demonstratingProofOfPossessionNonce && formattedTokens.accessToken && formattedTokens.accessToken.includes("SECURED_BY_OIDC_SERVICE_WORKER")) {
+                throw new Error("Demonstration of proof of possession require Access token not hidden by service worker");
+            }
+        }
+        
+        if (serviceWorker) {
+            await serviceWorker.initAsync(redirectUri, 'syncTokensAsync', configuration);
+            loginParams = serviceWorker.getLoginParams();
+            if(demonstratingProofOfPossessionNonce) {
+                await serviceWorker.setDemonstratingProofOfPossessionNonce(demonstratingProofOfPossessionNonce);
+            }
+        } else {
+            const session = initSession(oidc.configurationName, configuration.storage);
+            loginParams = session.getLoginParams();
+            if(demonstratingProofOfPossessionNonce) {
+                await session.setDemonstratingProofOfPossessionNonce(demonstratingProofOfPossessionNonce);
+            }
+        }
 
         await oidc.startCheckSessionAsync(oidcServerConfiguration.checkSessionIframe, clientId, sessionState, isSilentSignin);
         oidc.publishEvent(eventNames.loginCallbackAsync_end, {});

package/src/oidc.ts

@@ -1,23 +1,20 @@
-import { startCheckSessionAsync as defaultStartCheckSessionAsync } from './checkSession.js';
-import { CheckSessionIFrame } from './checkSessionIFrame.js';
-import { eventNames } from './events.js';
-import { initSession } from './initSession.js';
-import { initWorkerAsync, sleepAsync } from './initWorker.js';
-import { defaultLoginAsync, loginCallbackAsync } from './login.js';
-import { destroyAsync, logoutAsync } from './logout.js';
-import {
-    computeTimeLeft,
-    isTokensOidcValid,
-    setTokens, TokenRenewMode,
-    Tokens,
-} from './parseTokens.js';
-import { autoRenewTokens, renewTokensAndStartTimerAsync } from './renewTokens.js';
-import { fetchFromIssuer, performTokenRequestAsync } from './requests.js';
-import { getParseQueryStringFromLocation } from './route-utils.js';
-import defaultSilentLoginAsync, { _silentLoginAsync } from './silentLogin.js';
+import {startCheckSessionAsync as defaultStartCheckSessionAsync} from './checkSession.js';
+import {CheckSessionIFrame} from './checkSessionIFrame.js';
+import {eventNames} from './events.js';
+import {initSession} from './initSession.js';
+import {initWorkerAsync, sleepAsync} from './initWorker.js';
+import {defaultLoginAsync, loginCallbackAsync} from './login.js';
+import {destroyAsync, logoutAsync} from './logout.js';
+import {computeTimeLeft, isTokensOidcValid, setTokens, TokenRenewMode, Tokens,} from './parseTokens.js';
+import {autoRenewTokens, renewTokensAndStartTimerAsync} from './renewTokens.js';
+import {fetchFromIssuer, performTokenRequestAsync} from './requests.js';
+import {getParseQueryStringFromLocation} from './route-utils.js';
+import defaultSilentLoginAsync, {_silentLoginAsync} from './silentLogin.js';
 import timer from './timer.js';
-import { AuthorityConfiguration, Fetch, OidcConfiguration, StringMap } from './types.js';
-import { userInfoAsync } from './user.js';
+import {AuthorityConfiguration, Fetch, OidcConfiguration, StringMap} from './types.js';
+import {userInfoAsync} from './user.js';
+import {base64urlOfHashOfASCIIEncodingAsync} from "./crypto";
+import {generateJwtDemonstratingProofOfPossessionAsync} from "./jwt";
 
 export const getFetchDefault = () => {
     return fetch;
@@ -93,12 +90,6 @@ export class Oidc {
       if (refresh_time_before_tokens_expiration_in_second > 60) {
           refresh_time_before_tokens_expiration_in_second = refresh_time_before_tokens_expiration_in_second - Math.floor(Math.random() * 40);
       }
-      if (!configuration.logout_tokens_to_invalidate) {
-          configuration.logout_tokens_to_invalidate = ['access_token', 'refresh_token'];
-      }
-      if (!configuration.authority_timeout_wellknowurl_in_millisecond) {
-          configuration.authority_timeout_wellknowurl_in_millisecond = 10000;
-      }
       this.configuration = {
           ...configuration,
           silent_login_uri,
@@ -106,6 +97,9 @@ export class Oidc {
           refresh_time_before_tokens_expiration_in_second,
           silent_login_timeout: configuration.silent_login_timeout ?? 12000,
           token_renew_mode: configuration.token_renew_mode ?? TokenRenewMode.access_token_or_id_token_invalid,
+          demonstrating_proof_of_possession: configuration.demonstrating_proof_of_possession ?? false,
+          authority_timeout_wellknowurl_in_millisecond: configuration.authority_timeout_wellknowurl_in_millisecond ?? 10000,
+          logout_tokens_to_invalidate: configuration.logout_tokens_to_invalidate ?? ['access_token', 'refresh_token'],
       };
       this.getFetch = getFetch ?? getFetchDefault;
       this.configurationName = configurationName;
@@ -259,7 +253,7 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                     if (tokens) {
                         // @ts-ignore
                         this.tokens = setTokens(tokens, null, configuration.token_renew_mode);
-                        const getLoginParams = session.getLoginParams(this.configurationName);
+                        const getLoginParams = session.getLoginParams();
                         // @ts-ignore
                         this.timeoutId = autoRenewTokens(this, tokens.refreshToken, this.tokens.expiresAt, getLoginParams.extras);
                         const sessionState = await session.getSessionStateAsync();
@@ -373,10 +367,10 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                 let loginParams;
                 const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
                 if (serviceWorker) {
-                    loginParams = serviceWorker.getLoginParams(this.configurationName);
+                    loginParams = serviceWorker.getLoginParams();
                 } else {
                     const session = initSession(this.configurationName, configuration.storage);
-                    loginParams = session.getLoginParams(this.configurationName);
+                    loginParams = session.getLoginParams();
                 }
                 const silent_token_response = await silentLoginAsync({
                     ...loginParams.extras,
@@ -456,7 +450,19 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                         };
                         const oidcServerConfiguration = await this.initAsync(authority, configuration.authority_configuration);
                         const timeoutMs = document.hidden ? 10000 : 30000 * 10;
-                        const tokenResponse = await performTokenRequestAsync(this.getFetch())(oidcServerConfiguration.tokenEndpoint, details, finalExtras, tokens, configuration.token_renew_mode, timeoutMs);
+                        const url = oidcServerConfiguration.tokenEndpoint;
+                        const headersExtras = {};
+                        if(configuration.demonstrating_proof_of_possession) {
+                            headersExtras['DPoP'] = await this.generateDemonstrationOfProofOfPossessionAsync(tokens.accessToken, url, 'POST');
+                        }
+                        const tokenResponse = await performTokenRequestAsync(this.getFetch())(url, 
+                            details, 
+                            finalExtras, 
+                            tokens,
+                            headersExtras,
+                            configuration.token_renew_mode, 
+                            timeoutMs);
+                        
                         if (tokenResponse.success) {
                             const { isValid, reason } = isTokensOidcValid(tokenResponse.data, nonce.nonce, oidcServerConfiguration);
                             if (!isValid) {
@@ -465,6 +471,15 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
                                 return { tokens: null, status: 'SESSION_LOST' };
                             }
                             updateTokens(tokenResponse.data);
+                            if(tokenResponse.demonstratingProofOfPossessionNonce) {
+                                const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
+                                if(serviceWorker){
+                                    await serviceWorker.setDemonstratingProofOfPossessionNonce(tokenResponse.demonstratingProofOfPossessionNonce);
+                                } else {
+                                    const session = initSession(this.configurationName, configuration.storage);
+                                    await session.setDemonstratingProofOfPossessionNonce(tokenResponse.demonstratingProofOfPossessionNonce);
+                                }
+                            }
                             this.publishEvent(eventNames.refreshTokensAsync_end, { success: tokenResponse.success });
                             this.publishEvent(Oidc.eventNames.token_renewed, { reason: 'REFRESH_TOKEN' });
                             return { tokens: tokenResponse.data, status: 'LOGGED_IN' };
@@ -486,6 +501,30 @@ Please checkout that you are using OIDC hook inside a <OidcProvider configuratio
             }
      }
 
+    async generateDemonstrationOfProofOfPossessionAsync(accessToken:string, url:string, method:string): Promise<string> {
+
+        const configuration = this.configuration;
+        const claimsExtras = {ath: await base64urlOfHashOfASCIIEncodingAsync(accessToken),};
+
+        const serviceWorker = await initWorkerAsync(configuration.service_worker_relative_url, this.configurationName);
+        let demonstratingProofOfPossessionNonce:string = null;
+        let jwk;
+        if (serviceWorker) {
+            demonstratingProofOfPossessionNonce = await serviceWorker.getDemonstratingProofOfPossessionNonce();
+            jwk = await serviceWorker.getDemonstratingProofOfPossessionJwkAsync();
+        } else {
+            const session = initSession(this.configurationName, configuration.storage);
+            jwk = await session.getDemonstratingProofOfPossessionJwkAsync();
+            demonstratingProofOfPossessionNonce = await session.getDemonstratingProofOfPossessionNonce();
+        }
+
+        if (demonstratingProofOfPossessionNonce) {
+            claimsExtras['nonce'] = demonstratingProofOfPossessionNonce;
+        }
+
+        return await generateJwtDemonstratingProofOfPossessionAsync(jwk, method, url, claimsExtras);
+    }
+
     async syncTokensInfoAsync(configuration, configurationName, currentTokens, forceRefresh = false) {
         // Service Worker can be killed by the browser (when it wants,for example after 10 seconds of inactivity, so we retreieve the session if it happen)
         // const configuration = this.configuration;

package/src/oidcClient.ts

@@ -65,6 +65,10 @@ export class OidcClient {
         return this._oidc.configuration;
     }
 
+    async generateDemonstrationOfProofOfPossessionAsync(accessToken:string, url:string, method:string) : Promise<string> {
+        return this._oidc.generateDemonstrationOfProofOfPossessionAsync(accessToken, url, method);
+    }
+
     async getValidTokenAsync(waitMs = 200, numberWait = 50): Promise<ValidToken> {
         return getValidTokenAsync(this._oidc, waitMs, numberWait);
     }

package/src/requests.ts

@@ -3,6 +3,7 @@ import { deriveChallengeAsync, generateRandom } from './crypto.js';
 import { OidcAuthorizationServiceConfiguration } from './oidc.js';
 import { parseOriginalTokens } from './parseTokens.js';
 import { Fetch, StringMap } from './types.js';
+import EC, {JWK, JWT} from './jwt';
 
 const oneHourSecond = 60 * 60;
 export const fetchFromIssuer = (fetch) => async (openIdIssuerUrl: string, timeCacheSecond = oneHourSecond, storage = window.sessionStorage, timeoutMs = 10000):
@@ -83,7 +84,21 @@ export const performRevocationRequestAsync = (fetch) => async (url, token, token
     };
 };
 
-export const performTokenRequestAsync = (fetch:Fetch) => async (url, details, extras, oldTokens, tokenRenewMode: string, timeoutMs = 10000) => {
+
+type PerformTokenRequestResponse = {
+    success: boolean;
+    status?: number;
+    data?: any;
+    demonstratingProofOfPossessionNonce?: string;
+}
+
+export const performTokenRequestAsync = (fetch:Fetch) => async (url:string, 
+                                                                details, 
+                                                                extras, 
+                                                                oldTokens,
+                                                                headersExtras = {},
+                                                                tokenRenewMode: string, 
+                                                                timeoutMs = 10000):Promise<PerformTokenRequestResponse> => {
     for (const [key, value] of Object.entries(extras)) {
         if (details[key] === undefined) {
             details[key] = value;
@@ -97,21 +112,28 @@ export const performTokenRequestAsync = (fetch:Fetch) => async (url, details, ex
         formBody.push(`${encodedKey}=${encodedValue}`);
     }
     const formBodyString = formBody.join('&');
-
+    
     const response = await internalFetch(fetch)(url, {
         method: 'POST',
         headers: {
             'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
+            ...headersExtras
         },
         body: formBodyString,
     }, timeoutMs);
     if (response.status !== 200) {
-        return { success: false, status: response.status };
+        return { success: false, status: response.status, demonstratingProofOfPossessionNonce:null };
     }
     const tokens = await response.json();
+
+    let demonstratingProofOfPossessionNonce = null;
+    if( response.headers.has(demonstratingProofOfPossessionNonceResponseHeader)){
+        demonstratingProofOfPossessionNonce = response.headers.get(demonstratingProofOfPossessionNonceResponseHeader);
+    }
     return {
         success: true,
         data: parseOriginalTokens(tokens, oldTokens, tokenRenewMode),
+        demonstratingProofOfPossessionNonce: demonstratingProofOfPossessionNonce,
     };
 };
 
@@ -137,13 +159,18 @@ export const performAuthorizationRequestAsync = (storage: any) => async (url, ex
     window.location.href = `${url}${queryString}`;
 };
 
-export const performFirstTokenRequestAsync = (storage:any) => async (url, extras, tokenRenewMode: string, timeoutMs = 10000) => {
-    extras = extras ? { ...extras } : {};
-    extras.code_verifier = await storage.getCodeVerifierAsync();
+const demonstratingProofOfPossessionNonceResponseHeader = "DPoP-Nonce";
+export const performFirstTokenRequestAsync = (storage:any) => async (url, 
+                                                                     formBodyExtras, 
+                                                                     headersExtras, 
+                                                                     tokenRenewMode: string, 
+                                                                     timeoutMs = 10000) => {
+    formBodyExtras = formBodyExtras ? { ...formBodyExtras } : {};
+    formBodyExtras.code_verifier = await storage.getCodeVerifierAsync();
     const formBody = [];
-    for (const property in extras) {
+    for (const property in formBodyExtras) {
         const encodedKey = encodeURIComponent(property);
-        const encodedValue = encodeURIComponent(extras[property]);
+        const encodedValue = encodeURIComponent(formBodyExtras[property]);
         formBody.push(`${encodedKey}=${encodedValue}`);
     }
     const formBodyString = formBody.join('&');
@@ -151,6 +178,7 @@ export const performFirstTokenRequestAsync = (storage:any) => async (url, extras
         method: 'POST',
         headers: {
             'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
+            ...headersExtras,
         },
         body: formBodyString,
     }, timeoutMs);
@@ -158,12 +186,17 @@ export const performFirstTokenRequestAsync = (storage:any) => async (url, extras
     if (response.status !== 200) {
         return { success: false, status: response.status };
     }
+    let demonstratingProofOfPossessionNonce:string= null;
+    if( response.headers.has(demonstratingProofOfPossessionNonceResponseHeader)){
+        demonstratingProofOfPossessionNonce = response.headers.get(demonstratingProofOfPossessionNonceResponseHeader);
+    }
     const tokens = await response.json();
     return {
         success: true,
         data: {
-            state: extras.state,
+            state: formBodyExtras.state,
             tokens: parseOriginalTokens(tokens, null, tokenRenewMode),
-            },
+            demonstratingProofOfPossessionNonce,
+        },
     };
 };

package/src/types.ts

@@ -27,6 +27,7 @@ export type OidcConfiguration = {
     monitor_session?: boolean;
     token_renew_mode?: string;
     logout_tokens_to_invalidate?:Array<LogoutToken>;
+    demonstrating_proof_of_possession?:boolean;
 };
 
 export interface StringMap {