Automattic · pfefferle · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/.github/changelog/3119-from-description b/.github/changelog/3119-from-description
@@ -0,0 +1,4 @@
+Significance: minor
+Type: added
+
+Add DPoP (RFC 9449) support to protect OAuth tokens from theft and replay.
diff --git a/includes/oauth/class-authorization-code.php b/includes/oauth/class-authorization-code.php
@@ -129,13 +129,14 @@ public static function create(
 	/**
 	 * Exchange authorization code for tokens.
 	 *
-	 * @param string $code          The authorization code.
-	 * @param string $client_id     The client ID.
-	 * @param string $redirect_uri  The redirect URI (must match original).
-	 * @param string $code_verifier The PKCE code verifier.
+	 * @param string      $code          The authorization code.
+	 * @param string      $client_id     The client ID.
+	 * @param string      $redirect_uri  The redirect URI (must match original).
+	 * @param string      $code_verifier The PKCE code verifier.
+	 * @param string|null $dpop_jkt      Optional DPoP JWK thumbprint for token binding.
 	 * @return array|\WP_Error Token data or error.
 	 */
-	public static function exchange( $code, $client_id, $redirect_uri, $code_verifier ) {
+	public static function exchange( $code, $client_id, $redirect_uri, $code_verifier, $dpop_jkt = null ) {
 		$redirect_uri = Sanitize::redirect_uri( $redirect_uri );
 		$code_hash    = self::hash_code( $code );
 		$transient    = self::TRANSIENT_PREFIX . $code_hash;
@@ -195,7 +196,9 @@ public static function exchange( $code, $client_id, $redirect_uri, $code_verifie
 		return Token::create(
 			$code_data['user_id'],
 			$client_id,
-			$code_data['scopes']
+			$code_data['scopes'],
+			Token::DEFAULT_EXPIRATION,
+			$dpop_jkt
 		);
 	}