[C2S] Add DPoP (RFC 9449) support for OAuth token binding

[pfefferle]

Supersedes #2941 (rebased cleanly onto current trunk).

Proposed changes:

• Add DPoP (Demonstrating Proof of Possession, RFC 9449) support for the C2S OAuth implementation. This cryptographically binds access tokens to a client's key pair, preventing token theft and replay attacks.
• DPoP is fully opt-in: clients that include a DPoP proof header during token issuance get DPoP-bound tokens; clients that don't get regular Bearer tokens with no behavior change.
• Self-contained implementation with no external JWT library — uses PHP's OpenSSL extension directly, compatible with PHP 7.4+.
• Supports ES256 (ECDSA P-256) and RS256 signing algorithms.

Key changes:

• New DPoP class (includes/oauth/class-dpop.php) — JWT decode, JWK thumbprint (RFC 7638), JWK-to-PEM conversion, DPoP proof validation with jti replay protection
• Token class — stores dpop_jkt binding, returns token_type: DPoP, preserves binding through refresh, includes cnf.jkt in introspection
• Server class — accepts Authorization: DPoP scheme, validates proofs on resource access, advertises dpop_signing_alg_values_supported in metadata
• Token_Controller — validates DPoP proofs at token endpoint for auth code grants
• CORS headers now include DPoP in Access-Control-Allow-Headers

Other information:

• Have you written new tests for your changes, if applicable?

Testing instructions:

• Run existing OAuth tests to verify no regressions: npm run env-test -- --group=oauth
• Run DPoP-specific tests: npm run env-test -- --filter=DPoP
• Verify server metadata includes dpop_signing_alg_values_supported: curl <site>/wp-json/activitypub/1.0/oauth/authorization-server-metadata | jq .dpop_signing_alg_values_supported
• Existing Bearer token flows should work identically (backward compatible)

Changelog entry

• Automatically create a changelog entry from the details below.

Changelog Entry Details

Significance

• Patch
• Minor
• Major

Type

• Added - for new features
• Changed - for changes in existing functionality
• Deprecated - for soon-to-be removed features
• Removed - for now removed features
• Fixed - for any bug fixes
• Security - in case of vulnerabilities

Message

Add DPoP (RFC 9449) support to protect OAuth tokens from theft and replay.

[Copilot]

Pull request overview

Adds opt-in DPoP (RFC 9449) proof-of-possession support to the C2S OAuth flow, binding issued access tokens to a client key to reduce token replay/theft risk.

Changes:

• Introduces DPoP proof validation + JWK thumbprint computation and wires it into token issuance/introspection and resource authentication.
• Extends tokens to persist DPoP binding through refresh and expose cnf.jkt via introspection / metadata.
• Adds DPoP-related tests and updates CORS to allow the DPoP header.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
tests/phpunit/tests/includes/oauth/class-test-dpop.php	Adds PHPUnit coverage for DPoP proof validation, token binding, refresh, introspection, and replay protection
includes/rest/oauth/class-token-controller.php	Binds token issuance to DPoP key thumbprint when a DPoP proof is provided
includes/rest/class-server.php	Allows DPoP header in CORS preflight/response headers
includes/oauth/class-token.php	Persists dpop_jkt, returns token_type: DPoP, preserves binding on refresh, exposes cnf.jkt in introspection
includes/oauth/class-server.php	Accepts Authorization: DPoP, validates proofs on resource access, and advertises DPoP signing algs in metadata
includes/oauth/class-dpop.php	Implements DPoP JWT validation, signature verification (ES256/RS256), JWK thumbprint, and replay protection
includes/oauth/class-authorization-code.php	Threads optional dpop_jkt through auth code exchange into token creation
.github/changelog/3119-from-description	Adds changelog entry for the new DPoP feature

[Copilot]

DPoP::validate_proof() is called without required arguments, but the method signature requires at least $proof, $http_method, and $http_uri. This will fatally error at runtime. Pass the extracted $proof and the current request method/URI (e.g., via DPoP::get_request_method() / DPoP::get_request_uri() or the REST request object), and consider returning/propagating a WP_Error if a DPoP header is present but invalid (instead of silently returning null).

Suggested change

	$result = DPoP::validate_proof();
	if ( \is_wp_error( $result ) ) {
	return null;
	}
	return $result['jkt'];
	$http_method = DPoP::get_request_method();
	$http_uri = DPoP::get_request_uri();
	$result = DPoP::validate_proof( $proof, $http_method, $http_uri );
	if ( \is_wp_error( $result ) ) {
	return null;
	}
	return isset( $result['jkt'] ) ? $result['jkt'] : null;

[Copilot]

On resource requests, DPoP::validate_proof() is being called with the access token ($token) as the first argument, but the validator expects the DPoP proof JWT plus request method/URI (and the access token should be provided as the optional $access_token for ath verification). This currently both mis-validates the request and skips the ath binding check. Fix by extracting the DPoP proof from the DPoP header (e.g., DPoP::get_proof_from_request()), passing the actual HTTP method/URI, and passing $token as the $access_token parameter.

[Copilot]

base64url_decode() can return false for invalid input, but verify_signature() (and downstream ECDSA conversion) assumes a string. A malformed signature segment can trigger warnings or incorrect verification behavior. Handle decode failure explicitly (e.g., treat a false decode result as activitypub_dpop_invalid_jwt) before calling verify_signature().

Suggested change

	$signature_valid = self::verify_signature(
	$parts[0] . '.' . $parts[1],
	self::base64url_decode( $parts[2] ),
	$signature = self::base64url_decode( $parts[2] );
	if ( false === $signature ) {
	return new \WP_Error(
	'activitypub_dpop_invalid_jwt',
	\__( 'Invalid DPoP proof: cannot decode signature.', 'activitypub' ),
	array( 'status' => 401 )
	);
	}
	$signature_valid = self::verify_signature(
	$parts[0] . '.' . $parts[1],
	$signature,

[Copilot]

The replay cache entry is always kept for MAX_AGE seconds, even when the proof is near expiry. This retains unnecessary transient entries and can increase options/transient churn under load. Consider setting the transient TTL to the remaining validity window (e.g., max( 1, self::MAX_AGE - ( $now - $iat ) )) so storage duration matches the proof’s actual replay-relevant lifetime.

Suggested change

	\set_transient( $jti_cache_key, 1, self::MAX_AGE );
	// Store the jti for the remaining validity window of the proof.
	$age = $now - $iat;
	$ttl = max( 1, self::MAX_AGE - $age );
	\set_transient( $jti_cache_key, 1, $ttl );

[Copilot]

For RFC 9449 htu comparison, sanitizing HTTP_HOST / REQUEST_URI with sanitize_text_field() can modify the values (e.g., stripping or normalizing characters), which can cause valid DPoP proofs to fail htu matching (or produce mismatched normalization relative to what the client signed). Prefer using the raw header/URI values (unslashed) and normalizing via URI parsing/recomposition rather than text-field sanitization.

[Copilot]

The docblock says the refresh with a wrong DPoP key is rejected, but the test body only checks that refreshed tokens preserve the original binding and that RSA/EC JKT differ—there is no assertion that a refresh attempt using a mismatched DPoP proof is rejected. Either update the docblock to match what’s being tested, or extend the test to exercise the controller/resource-layer rejection behavior.