refactor!: userinfo requests with bearer tokens will now fail if they also include DPoP

Author: panva

lib/actions/userinfo.js

@@ -110,6 +110,10 @@ export default [
 
         ctx.assert(unique, new InvalidToken('DPoP proof JWT Replay detected'));
       }
+
+      if (!accessToken.jkt) {
+        throw new InvalidToken('access token is not sender-constrained but proof of possession was provided');
+      }
     }
 
     if (accessToken.jkt && (!dPoP || accessToken.jkt !== dPoP.thumbprint)) {

test/dpop/dpop.test.js

@@ -314,6 +314,23 @@ describe('features.dPoP', () => {
       }
     });
 
+    it("doesn't allow Bearer tokens to be passed with DPoP scheme", async function () {
+      const at = new this.provider.AccessToken({
+        accountId: this.loggedInAccountId,
+        grantId: this.getGrantId(),
+        client: await this.provider.Client.find('client'),
+        scope: 'openid',
+      });
+
+      const dpop = await at.save();
+      const proof = await DPoP(this.keypair, `${this.provider.issuer}${this.suitePath('/me')}`, 'GET', undefined, dpop);
+
+      await this.agent.get('/me')
+        .set('Authorization', `DPoP ${dpop}`)
+        .set('DPoP', proof)
+        .expect(this.failWith(401, 'invalid_token', 'invalid token provided', undefined, 'DPoP'));
+    });
+
     it('acts like an RS checking the DPoP proof and thumbprint now', async function () {
       const at = new this.provider.AccessToken({
         accountId: this.loggedInAccountId,