Feature/dpop (#1269)

DPoP support

---------

Co-authored-by: Brady Wied <brady.wied@fusionauth.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Brady Wied <wied03@users.noreply.github.com>

Author: 3 people

src/main/java/io/fusionauth/domain/OpenIdConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2025, FusionAuth, All Rights Reserved
+ * Copyright (c) 2018-2026, FusionAuth, All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,6 +39,11 @@ public class OpenIdConfiguration implements Buildable<OpenIdConfiguration> {
 
   public String device_authorization_endpoint = "%s/oauth2/device_authorize";
 
+  /**
+   * RFC9449 5.1 add dpop_signing_alg_values_supported. Symmetric algorithms cannot be used
+   */
+  public List<String> dpop_signing_alg_values_supported = new ArrayList<>(Arrays.asList("Ed448", "Ed25519", "ES256", "ES384", "ES512", "PS256", "PS384", "PS512", "RS256", "RS384", "RS512"));
+
   public String end_session_endpoint = "%s/oauth2/logout";
 
   @SuppressWarnings("SpellCheckingInspection")
@@ -82,6 +87,7 @@ public boolean equals(Object o) {
            Objects.equals(authorization_endpoint, that.authorization_endpoint) &&
            Objects.equals(claims_supported, that.claims_supported) &&
            Objects.equals(device_authorization_endpoint, that.device_authorization_endpoint) &&
+           Objects.equals(dpop_signing_alg_values_supported, that.dpop_signing_alg_values_supported) &&
            Objects.equals(end_session_endpoint, that.end_session_endpoint) &&
            Objects.equals(grant_types_supported, that.grant_types_supported) &&
            Objects.equals(id_token_signing_alg_values_supported, that.id_token_signing_alg_values_supported) &&
@@ -99,7 +105,7 @@ public boolean equals(Object o) {
 
   @Override
   public int hashCode() {
-    return Objects.hash(authorization_endpoint, backchannel_logout_supported, claims_supported, device_authorization_endpoint, end_session_endpoint, frontchannel_logout_supported, grant_types_supported, id_token_signing_alg_values_supported, issuer, jwks_uri, response_modes_supported, response_types_supported, scopes_supported, subject_types_supported, token_endpoint, token_endpoint_auth_methods_supported, userinfo_endpoint, userinfo_signing_alg_values_supported);
+    return Objects.hash(authorization_endpoint, backchannel_logout_supported, claims_supported, device_authorization_endpoint, dpop_signing_alg_values_supported, end_session_endpoint, frontchannel_logout_supported, grant_types_supported, id_token_signing_alg_values_supported, issuer, jwks_uri, response_modes_supported, response_types_supported, scopes_supported, subject_types_supported, token_endpoint, token_endpoint_auth_methods_supported, userinfo_endpoint, userinfo_signing_alg_values_supported);
   }
 
   @Override

src/main/java/io/fusionauth/domain/oauth2/OAuthError.java

@@ -195,6 +195,10 @@ public enum OAuthErrorType {
     // Used in Introspect validation. See section 2.1 of RFC 7662 https://tools.ietf.org/html/rfc7662
     // - Values for 'token_type_hint' are defined by RFC 7009 "OAuth Token Type Hints". https://tools.ietf.org/html/rfc7009
     // - Validation for this field is described in section 4.1.1 of RFC 7009.
-    unsupported_token_type
+    unsupported_token_type,
+
+    // RFC 9449 DPoP Proof of Possession. Section 12.2
+    // https://datatracker.ietf.org/doc/html/rfc9449
+    invalid_dpop_proof
   }
 }

src/main/java/io/fusionauth/domain/oauth2/TokenType.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018-2019, FusionAuth, All Rights Reserved
+ * Copyright (c) 2018-2025, FusionAuth, All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -22,14 +22,15 @@
  * <a href="https://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05">
  * Draft RFC on OAuth 2.0 Message Authentication Code (MAC) Tokens</a>
  * </li>
+ * <li>DPoP Token type as defined by <a href="https://datatracker.ietf.org/doc/html/rfc9449">RFC 9449</a></li>
  * </ul>
  *
  * @author Daniel DeGroff
  */
 public enum TokenType {
   Bearer,
-  MAC;
-
+  MAC,
+  DPoP;
 
   public static TokenType fromName(String s) {
     if (Bearer.name().equalsIgnoreCase(s)) {
@@ -40,6 +41,10 @@ public static TokenType fromName(String s) {
       return MAC;
     }
 
+    if (DPoP.name().equalsIgnoreCase(s)) {
+      return DPoP;
+    }
+
     return null;
   }
 }

src/main/java/io/fusionauth/domain/reactor/ReactorStatus.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021-2025, FusionAuth, All Rights Reserved
+ * Copyright (c) 2021-2026, FusionAuth, All Rights Reserved
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -49,6 +49,8 @@ public class ReactorStatus {
 
   public ReactorFeatureStatus connectors = ReactorFeatureStatus.UNKNOWN;
 
+  public ReactorFeatureStatus dPoP = ReactorFeatureStatus.UNKNOWN;
+
   public ReactorFeatureStatus entityManagement = ReactorFeatureStatus.UNKNOWN;
 
   public LocalDate expiration;
@@ -90,6 +92,7 @@ public ReactorStatus(ReactorStatus other) {
     advancedOAuthScopes = other.advancedOAuthScopes;
     advancedOAuthScopesCustomScopes = other.advancedOAuthScopesCustomScopes;
     advancedOAuthScopesThirdPartyApplications = other.advancedOAuthScopesThirdPartyApplications;
+    dPoP = other.dPoP;
     entityManagement = other.entityManagement;
     expiration = other.expiration;
     licenseAttributes.putAll(other.licenseAttributes);
@@ -124,6 +127,7 @@ public boolean equals(Object o) {
            advancedOAuthScopes == that.advancedOAuthScopes &&
            advancedOAuthScopesCustomScopes == that.advancedOAuthScopesCustomScopes &&
            advancedOAuthScopesThirdPartyApplications == that.advancedOAuthScopesThirdPartyApplications &&
+           dPoP == that.dPoP &&
            entityManagement == that.entityManagement &&
            Objects.equals(expiration, that.expiration) &&
            licensed == that.licensed &&
@@ -148,6 +152,7 @@ public int hashCode() {
                         applicationThemes,
                         breachedPasswordDetection,
                         connectors,
+                        dPoP,
                         advancedOAuthScopes,
                         advancedOAuthScopesCustomScopes,
                         advancedOAuthScopesThirdPartyApplications,