Skip to content
oidc-provider
Search limited to v8.x. Switch to the latest version for up-to-date results.

features.dPoP

This content is for v8.x. Switch to the latest version for up-to-date documentation.

RFC9449 - OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)

Enables DPoP - mechanism for sender-constraining tokens via a proof-of-possession mechanism on the application level. Browser DPoP proof generation here.

default value:

{
  allowReplay: false,
  enabled: false,
  nonceSecret: undefined,
  requireNonce: [Function: requireNonce] // see expanded details below
}
(Click to expand) features.dPoP options details

allowReplay

Section titled “allowReplay”

Controls whether DPoP Proof Replay Detection is used or not.

default value:

false

nonceSecret

Section titled “nonceSecret”

A secret value used for generating server-provided DPoP nonces. Must be a 32-byte length Buffer instance when provided.

default value:

undefined

requireNonce

Section titled “requireNonce”

Function used to determine whether a DPoP nonce is required or not.

default value:

function requireNonce(ctx) {
  return false;
}