Add support for DPoP (#1388)

### Changes

> [!IMPORTANT]
> This PR is only the first part of the whole DPoP feature. The second
PR is #1400.
> 
> Because of this, **please do not make a new release until both PRs are
merged**.

This PR adds support for DPoP. It includes:

- Key generation and secure storage.
- Authorization code binding (i.e. `dpop_jkt` parameter).
- Access token request binding (i.e. `DPoP` header).
- Automatic nonce management and retries for Auth0 flows.

It does NOT include:
- Docs for the DPoP feature.
- A way of using DPoP with external, custom APIs.

Both of these ☝️ will be added in #1400, for an easier review.

ℹ️ Notes to understand some changes:

- Since some changes to core code were made (i.e. header parsing and
`token_type` property in cache), some apparently unrelated tests had to
be adapted.
- Since the `dpop` package has some syntax that is too new for the
current Jest configuration, transpilation had to be explicitely enabled
for it:
    - The `ts-jest` preset was changed to `ts-jest/presets/js-with-ts`.
    - `allowJs` was enabled.
    - `dpop` was added to `transformIgnorePatterns`.
- I added `fake-indexeddb` for testing, which needs a `structuredClone`
implementation in `jsdom` but current version doesn't include it, so we
use the Node implementation instead.
- `ES2019.Object`, `DOM` and `DOM.Iterable` were added to the TS `lib`s
so Fetch API's `Headers` interface can be used. This will not change the
resulting code, just the types available when type-checking.

### Testing

- [x] This change adds unit test coverage
- [ ] This change adds integration test coverage
- [x] This change has been tested on the latest version of the
platform/language

### Checklist

- [x] I have read the [Auth0 general contribution
guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
- [x] I have read the [Auth0 Code of
Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
- [x] All code quality tools/guidelines have been run/followed

---------

Co-authored-by: Rita Zerrizuela <zeta@widcket.com>

Author: martinml

__tests__/Auth0Client/constructor.test.ts

@@ -10,6 +10,7 @@ import { assertUrlEquals, loginWithRedirectFn, setupFn } from './helpers';
 
 import { TEST_CLIENT_ID, TEST_CODE_CHALLENGE, TEST_DOMAIN } from '../constants';
 import { ICache } from '../../src/cache';
+import * as DpopModule from '../../src/dpop/dpop';
 
 jest.mock('es-cookie');
 jest.mock('../../src/jwt');
@@ -65,6 +66,7 @@ describe('Auth0Client', () => {
     mockWindow.Worker = {};
     jest.spyOn(scope, 'getUniqueScopes');
     sessionStorage.clear();
+    jest.spyOn(DpopModule, 'Dpop').mockReturnThis();
   });
 
   afterEach(() => {
@@ -167,5 +169,18 @@ describe('Auth0Client', () => {
 
       expect(mockCache.set).toHaveBeenCalled();
     });
+
+    it('does not create DPoP handler when is disabled', () => {
+      const auth0 = setup({ useDpop: false });
+
+      expect(auth0['dpop']).toBeUndefined();
+    });
+
+    it('creates a DPoP handler when enabled', () => {
+      const auth0 = setup({ useDpop: true });
+
+      expect(auth0['dpop']).not.toBeUndefined();
+      expect(DpopModule.Dpop).toHaveBeenCalledWith(TEST_CLIENT_ID);
+    });
   });
 });

__tests__/Auth0Client/dpop.test.ts

@@ -0,0 +1,126 @@
+/**
+ * We don't need the DOM for this specific test suite.
+ *
+ * @jest-environment node
+ */
+
+import { Auth0Client, Auth0ClientOptions } from '../../src';
+import {
+  TEST_CLIENT_ID,
+  TEST_DOMAIN,
+  TEST_DPOP_NONCE,
+  TEST_DPOP_PROOF
+} from '../constants';
+
+import { beforeEach, describe, expect } from '@jest/globals';
+import { Dpop } from '../../src/dpop/dpop';
+
+function newTestAuth0Client(
+  extraOpts?: Partial<Auth0ClientOptions>
+): Auth0Client {
+  return new Auth0Client({
+    ...extraOpts,
+    domain: TEST_DOMAIN,
+    clientId: TEST_CLIENT_ID
+  });
+}
+
+describe('Auth0Client', () => {
+  beforeEach(() => {
+    jest.resetAllMocks();
+    jest.restoreAllMocks();
+  });
+
+  describe('_assertDpop()', () => {
+    const auth0 = newTestAuth0Client();
+
+    describe('DPoP disabled', () => {
+      it('throws an error', () =>
+        expect(() => auth0['_assertDpop'](undefined)).toThrow(
+          '`useDpop` option must be enabled before using DPoP.'
+        ));
+    });
+
+    describe('DPoP enabled', () => {
+      const dpop = new Dpop(TEST_CLIENT_ID);
+
+      it('does not throw', () =>
+        expect(() => auth0['_assertDpop'](dpop)).not.toThrow());
+    });
+  });
+
+  describe('getDpopNonce()', () => {
+    const id = 'my_custom_api';
+    const auth0 = newTestAuth0Client({ useDpop: true });
+    const dpop = auth0['dpop']!;
+
+    beforeEach(() => {
+      auth0['_assertDpop'] = jest.fn();
+      jest.spyOn(dpop, 'getNonce').mockResolvedValue(TEST_DPOP_NONCE);
+    });
+
+    let output: unknown;
+
+    beforeEach(async () => {
+      output = await auth0.getDpopNonce(id);
+    });
+
+    it('asserts DPoP is enabled', () =>
+      expect(auth0['_assertDpop']).toHaveBeenCalled());
+
+    it('delegates into Dpop.getNonce()', () => {
+      expect(dpop.getNonce).toHaveBeenCalledWith(id);
+      expect(output).toBe(TEST_DPOP_NONCE);
+    });
+  });
+
+  describe('setDpopNonce()', () => {
+    const id = 'my_custom_api';
+    const auth0 = newTestAuth0Client({ useDpop: true });
+    const dpop = auth0['dpop']!;
+
+    beforeEach(() => {
+      auth0['_assertDpop'] = jest.fn();
+      jest.spyOn(dpop, 'setNonce').mockResolvedValue();
+    });
+
+    beforeEach(() => auth0.setDpopNonce(TEST_DPOP_NONCE, id));
+
+    it('asserts DPoP is enabled', () =>
+      expect(auth0['_assertDpop']).toHaveBeenCalled());
+
+    it('delegates into Dpop.setNonce()', () =>
+      expect(dpop.setNonce).toHaveBeenCalledWith(TEST_DPOP_NONCE, id));
+  });
+
+  describe('generateDpopProof()', () => {
+    const auth0 = newTestAuth0Client({ useDpop: true });
+    const dpop = auth0['dpop']!;
+
+    const params: Parameters<Auth0Client['generateDpopProof']>[0] = {
+      accessToken: 'test-access-token',
+      method: 'test-method',
+      url: 'test-url',
+      nonce: 'test-nonce'
+    };
+
+    beforeEach(() => {
+      auth0['_assertDpop'] = jest.fn();
+      jest.spyOn(dpop, 'generateProof').mockResolvedValue(TEST_DPOP_PROOF);
+    });
+
+    let output: string;
+
+    beforeEach(async () => {
+      output = await auth0.generateDpopProof(params);
+    });
+
+    it('asserts DPoP is enabled', () =>
+      expect(auth0['_assertDpop']).toHaveBeenCalled());
+
+    it('delegates into Dpop.generateProof()', () =>
+      expect(dpop.generateProof).toHaveBeenCalledWith(params));
+
+    it('returns the proof', () => expect(output).toBe(TEST_DPOP_PROOF));
+  });
+});

__tests__/Auth0Client/exchangeToken.test.ts

@@ -90,6 +90,7 @@ describe('Auth0Client', () => {
           },
           id_token: 'fake_id_token',
           access_token: 'fake_access_token',
+          token_type: 'Bearer',
           expires_in: 3600,
           scope: requestOptions.scope
         };
@@ -140,6 +141,7 @@ describe('Auth0Client', () => {
           },
           id_token: 'fake_id_token',
           access_token: 'fake_access_token',
+          token_type: 'Bearer',
           expires_in: 3600,
           scope: requestOptions.scope
         };
@@ -190,6 +192,7 @@ describe('Auth0Client', () => {
           },
           id_token: 'fake_id_token',
           access_token: 'fake_access_token',
+          token_type: 'Bearer',
           expires_in: 3600,
           scope: requestOptions.scope
         };
@@ -235,6 +238,7 @@ describe('Auth0Client', () => {
           },
           id_token: 'fake_id_token',
           access_token: 'fake_access_token',
+          token_type: 'Bearer',
           expires_in: 3600,
           scope: requestOptions.scope
         };
@@ -297,6 +301,7 @@ describe('Auth0Client', () => {
           },
           id_token: 'fake_id_token',
           access_token: 'fake_access_token',
+          token_type: 'Bearer',
           expires_in: 3600,
           scope: requestOptions.scope
         };

__tests__/Auth0Client/getTokenSilently.test.ts

@@ -1,16 +1,20 @@
+import { expect } from '@jest/globals';
 import * as esCookie from 'es-cookie';
-import { verify } from '../../src/jwt';
 import { MessageChannel } from 'worker_threads';
-import * as utils from '../../src/utils';
-import * as promiseUtils from '../../src/promise-utils';
-import * as scope from '../../src/scope';
 import * as api from '../../src/api';
 import * as http from '../../src/http';
-import { expect } from '@jest/globals';
+import { verify } from '../../src/jwt';
+import * as promiseUtils from '../../src/promise-utils';
+import * as scope from '../../src/scope';
+import * as utils from '../../src/utils';
 
 import { expectToHaveBeenCalledWithAuth0ClientParam } from '../helpers';
 
-import { GET_TOKEN_SILENTLY_LOCK_KEY, TEST_ORG_ID } from '../constants';
+import {
+  GET_TOKEN_SILENTLY_LOCK_KEY,
+  TEST_ORG_ID,
+  TEST_TOKEN_TYPE
+} from '../constants';
 
 // @ts-ignore
 import { acquireLockSpy } from 'browser-tabs-lock';
@@ -2148,7 +2152,8 @@ describe('Auth0Client', () => {
             refresh_token: TEST_REFRESH_TOKEN,
             access_token: TEST_ACCESS_TOKEN,
             expires_in: 86400
-          })
+          }),
+          headers: new Headers()
         })
       );
       // Fail only the first occurring /token request by providing it as mockImplementationOnce.
@@ -2160,7 +2165,8 @@ describe('Auth0Client', () => {
           json: () => ({
             error: 'invalid_grant',
             error_description: INVALID_REFRESH_TOKEN_ERROR_MESSAGE
-          })
+          }),
+          headers: new Headers()
         })
       );
 
@@ -2189,7 +2195,8 @@ describe('Auth0Client', () => {
           json: () => ({
             error: 'invalid_grant',
             error_description: INVALID_REFRESH_TOKEN_ERROR_MESSAGE
-          })
+          }),
+          headers: new Headers()
         })
       );
 
@@ -2267,6 +2274,7 @@ describe('Auth0Client', () => {
           id_token: TEST_ID_TOKEN,
           refresh_token: TEST_REFRESH_TOKEN,
           access_token: TEST_ACCESS_TOKEN,
+          token_type: TEST_TOKEN_TYPE,
           expires_in: 86400
         })
       );
@@ -2280,6 +2288,7 @@ describe('Auth0Client', () => {
       expect(response).toStrictEqual({
         id_token: TEST_ID_TOKEN,
         access_token: TEST_ACCESS_TOKEN,
+        token_type: TEST_TOKEN_TYPE,
         expires_in: 86400
       });
     });
@@ -2294,6 +2303,7 @@ describe('Auth0Client', () => {
           id_token: TEST_ID_TOKEN,
           refresh_token: TEST_REFRESH_TOKEN,
           access_token: TEST_ACCESS_TOKEN,
+          token_type: TEST_TOKEN_TYPE,
           expires_in: 86400,
           scope: 'read:messages'
         })
@@ -2308,6 +2318,7 @@ describe('Auth0Client', () => {
       expect(response).toStrictEqual({
         id_token: TEST_ID_TOKEN,
         access_token: TEST_ACCESS_TOKEN,
+        token_type: TEST_TOKEN_TYPE,
         expires_in: 86400,
         scope: 'read:messages'
       });
@@ -2332,6 +2343,7 @@ describe('Auth0Client', () => {
       expect(response).toStrictEqual({
         id_token: TEST_ID_TOKEN,
         access_token: TEST_ACCESS_TOKEN,
+        token_type: TEST_TOKEN_TYPE,
         expires_in: 86400
       });
 
@@ -2397,6 +2409,7 @@ describe('Auth0Client', () => {
       expect(response).toStrictEqual({
         id_token: TEST_ID_TOKEN,
         access_token: TEST_ACCESS_TOKEN,
+        token_type: TEST_TOKEN_TYPE,
         expires_in: 86400,
         scope: 'read:messages'
       });

__tests__/Auth0Client/helpers.ts

@@ -19,7 +19,8 @@ import {
   TEST_ID_TOKEN,
   TEST_REDIRECT_URI,
   TEST_REFRESH_TOKEN,
-  TEST_STATE
+  TEST_STATE,
+  TEST_TOKEN_TYPE
 } from '../constants';
 import { expect } from '@jest/globals';
 import { patchOpenUrlWithOnRedirect } from '../../src/Auth0Client.utils';
@@ -104,10 +105,15 @@ export const assertUrlEquals = (
   }
 };
 
-export const fetchResponse = (ok, json) =>
+export const fetchResponse = (
+  ok: boolean,
+  json: unknown,
+  headers: Record<string, string> = {}
+) =>
   Promise.resolve({
     ok,
-    json: () => Promise.resolve(json)
+    json: () => Promise.resolve(json),
+    headers: new Headers(headers)
   });
 
 export const setupFn = (mockVerify: jest.Mock) => {
@@ -238,6 +244,7 @@ export const loginWithRedirectFn = (mockWindow, mockFetch) => {
             id_token: TEST_ID_TOKEN,
             refresh_token: TEST_REFRESH_TOKEN,
             access_token: TEST_ACCESS_TOKEN,
+            token_type: TEST_TOKEN_TYPE,
             expires_in: 86400
           },
           token.response
@@ -340,6 +347,7 @@ export const loginWithPopupFn = (mockWindow, mockFetch) => {
             id_token: TEST_ID_TOKEN,
             refresh_token: TEST_REFRESH_TOKEN,
             access_token: TEST_ACCESS_TOKEN,
+            token_type: TEST_TOKEN_TYPE,
             expires_in: 86400
           },
           token.response
@@ -357,6 +365,7 @@ export const checkSessionFn = mockFetch => {
         id_token: TEST_ID_TOKEN,
         refresh_token: TEST_REFRESH_TOKEN,
         access_token: TEST_ACCESS_TOKEN,
+        token_type: TEST_TOKEN_TYPE,
         expires_in: 86400
       })
     );
@@ -402,6 +411,7 @@ export const getTokenSilentlyFn = (mockWindow, mockFetch) => {
             id_token: TEST_ID_TOKEN,
             refresh_token: TEST_REFRESH_TOKEN,
             access_token: TEST_ACCESS_TOKEN,
+            token_type: TEST_TOKEN_TYPE,
             expires_in: 86400
           },
           token.response

__tests__/Auth0Client/logout.test.ts

@@ -209,6 +209,19 @@ describe('Auth0Client', () => {
       );
     });
 
+    it('clears DPoP handler when present', async () => {
+      const auth0 = setup({ useDpop: true });
+      const dpop = auth0['dpop']!;
+
+      jest
+        .spyOn(dpop, 'clear')
+        .mockResolvedValue();
+
+      await auth0.logout();
+
+      expect(dpop.clear).toHaveBeenCalled();
+    });
+
     it('skips `window.location.assign` when `options.onRedirect` is provided', async () => {
       const auth0 = setup();
       const onRedirect = jest.fn();