Skip to content

feat: add DPoP sender-constrained token support (RFC 9449) #109

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
davidbemer wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add DPoP sender-constrained token support (RFC 9449) #109

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
53bc3d7
feat: add DPoP sender-constrained token support (RFC 9449)
davidbemer May 20, 2026
a8e70c2
fix: address review comments on DPoP implementation
davidbemer May 20, 2026
f2ec590
fix: update composer.lock to satisfy phpunit ^12.0.0 constraint
davidbemer May 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
- name: 🛠️ Setup PHP
uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # 2.37.0
with:
php-version: "8.1"
php-version: "8.3"
tools: composer, cs2pr

- name: 🔍 Validate composer.json and composer.lock
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/phpunit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:

strategy:
matrix:
php-version: [8.1, 7.4]
php-version: [8.4, 8.3]

steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Expand Down
26 changes: 26 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,6 +255,32 @@ print_r($response);
6. `DescopeSDK->getClaims($sessionToken)` - will return all of the claims from the JWT in an array format.
7. `DescopeSDK->getUserDetails($refreshToken)` - will return all of the user information (email, phone, verification status, etc.) using a provided refresh token.

### DPoP Sender-Constrained Tokens (RFC 9449)

When a Descope session token contains a `cnf.jkt` claim it is DPoP-bound, meaning every request must include a signed `DPoP` proof JWT that demonstrates possession of the corresponding private key.

Use `validateDPoP` **after** a successful `verify` call to enforce the sender-constraint:

```php
// 1. Verify the session token as usual
$descopeSDK->verify($sessionToken);

// 2. If the token is DPoP-bound, validate the DPoP proof
// (does nothing if the token has no cnf.jkt claim)
$descopeSDK->validateDPoP(
$sessionToken, // the verified session JWT
$_SERVER['HTTP_DPOP'] ?? '', // DPoP header sent by the client (empty string if absent)
$_SERVER['REQUEST_METHOD'], // e.g. "GET" or "POST"

@shuni-bot-dev shuni-bot-dev Bot May 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 LOW: $_SERVER['HTTP_DPOP'] is unset when the client doesn't send a DPoP header. Passing null into validateDPoP(string $dpopProof, ...) raises TypeError rather than the intended \Exception('DPoP proof required...').

Suggest showing the safe form so users don't copy a snippet that crashes on the very case the function is designed to detect:

Suggested change
$_SERVER['REQUEST_METHOD'], // e.g. "GET" or "POST"
$_SERVER['HTTP_DPOP'] ?? '', // DPoP header sent by the client (empty string triggers a clear error)

@davidbemer davidbemer May 20, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Changed $_SERVER['HTTP_DPOP'] to $_SERVER['HTTP_DPOP'] ?? '' so the example handles the case where the DPoP header is absent without a PHP notice.

@davidbemer davidbemer May 20, 2026

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Changed to $_SERVER['HTTP_DPOP'] ?? '' so the example handles the absent-header case without a PHP notice. Also updated the validateDPoP throws description to \Descope\SDK\Exception\TokenException.

'https://example.com/api/resource' // full request URL
);
```

`validateDPoP` throws `\Descope\SDK\Exception\TokenException` if:

- The session token is DPoP-bound but no proof is provided.
- The proof signature, `htm` (method), `htu` (URL), `iat` (timestamp), or `ath` (access token hash) is invalid.
- The proof key does not match the `cnf.jkt` thumbprint in the session token.

### User Management Functions

Each of these functions have code examples on how to use them.
Expand Down
4 changes: 2 additions & 2 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
}
],
"require": {
"php": "^7.3 || ^8.0",
"php": "^8.3",
"guzzlehttp/guzzle": "7.9.2 as 7.9.3",
"paragonie/constant_time_encoding": "2.8.2",
"vlucas/phpdotenv": "^5.6.1"
Expand All @@ -34,7 +34,7 @@
"ignore": ["PKSA-z3gr-8qht-p93v"]
},
"platform": {
"php": "7.3.0"
"php": "8.3.0"
}
},
"scripts": {
Expand Down
Loading
Loading