From e4c963c912aabfcf14e7bd69637a39eb25d3cd9a Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Thu, 26 Feb 2026 20:36:29 -0600
Subject: [PATCH] Add client with private_key_jwt auth, dpop w/nonce

---
 src/Config.cs | 46 +++++++++++++++++++++++++++++++++++-----------
 1 file changed, 35 insertions(+), 11 deletions(-)

diff --git a/src/Config.cs b/src/Config.cs
index 90ccc54..6ace37f 100644
--- a/src/Config.cs
+++ b/src/Config.cs
@@ -119,7 +119,7 @@ public class Config
                     ClientName = "Machine to machine (client credentials with JWT)",
                     AllowedGrantTypes = GrantTypes.ClientCredentials,
                     AllowedScopes = AllApiScopes,
-                    
+
                     ClientSecrets = { PublicKey }
                 },
                 new Client
@@ -141,7 +141,7 @@ public class Config
 
                     AllowedGrantTypes = GrantTypes.ClientCredentials,
                     AllowedScopes = AllApiScopes,
-                    
+
                     RequireDPoP = true,
                     DPoPValidationMode = DPoPTokenExpirationValidationMode.Nonce,
                 },
@@ -162,7 +162,7 @@ public class Config
                     AllowedGrantTypes = GrantTypes.ClientCredentials,
                     AllowedScopes = AllApiScopes,
                     AccessTokenLifetime = 75,
-                    
+
                     ClientSecrets = { PublicKey }
                 },
 
@@ -184,7 +184,7 @@ public class Config
                     RefreshTokenUsage = TokenUsage.ReUse,
                     RefreshTokenExpiration = TokenExpiration.Sliding
                 },
-                
+
                 new Client
                 {
                     ClientId = "interactive.confidential.jwt",
@@ -204,6 +204,30 @@ public class Config
                     RefreshTokenExpiration = TokenExpiration.Sliding
                 },
 
+                new Client
+                {
+                    ClientId = "interactive.confidential.jwt.dpop",
+                    ClientName = "Interactive client (Code with PKCE) using private key JWT authentication and requiring DPoP with server-issued nonces",
+
+                    RedirectUris = { "https://notused" },
+                    PostLogoutRedirectUris = { "https://notused" },
+
+                    ClientSecrets = { PublicKey },
+
+                    AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
+                    RequireRequestObject = false,
+                    AllowedScopes = AllScopes,
+
+                    AllowOfflineAccess = true,
+                    RefreshTokenUsage = TokenUsage.ReUse,
+                    RefreshTokenExpiration = TokenExpiration.Sliding,
+
+                    RequireDPoP = true,
+                    DPoPValidationMode = DPoPTokenExpirationValidationMode.Nonce,
+
+                    AccessTokenLifetime = 75
+                },
+
                 new Client
                 {
                     ClientId = "interactive.confidential.jar.jwt",
@@ -222,7 +246,7 @@ public class Config
                     RefreshTokenUsage = TokenUsage.ReUse,
                     RefreshTokenExpiration = TokenExpiration.Sliding
                 },
-                
+
                 new Client
                 {
                     ClientId = "interactive.confidential.short",
@@ -241,7 +265,7 @@ public class Config
                     AllowOfflineAccess = true,
                     RefreshTokenUsage = TokenUsage.ReUse,
                     RefreshTokenExpiration = TokenExpiration.Sliding,
-                    
+
                     AccessTokenLifetime = 75
                 },
 
@@ -283,7 +307,7 @@ public class Config
                     AllowOfflineAccess = true,
                     RefreshTokenUsage = TokenUsage.ReUse,
                     RefreshTokenExpiration = TokenExpiration.Sliding,
-                    
+
                     AccessTokenLifetime = 75
                 },
 
@@ -342,7 +366,7 @@ public class Config
                     AllowOfflineAccess = true,
                     RefreshTokenUsage = TokenUsage.OneTimeOnly,
                     RefreshTokenExpiration = TokenExpiration.Sliding,
-                    
+
                     AccessTokenLifetime = 75
                 },
 
@@ -397,7 +421,7 @@ public class Config
                     AllowOfflineAccess = true,
                     RefreshTokenUsage = TokenUsage.OneTimeOnly,
                     RefreshTokenExpiration = TokenExpiration.Sliding,
-                    
+
                     AllowedScopes = AllScopes,
                 },
                 
@@ -418,10 +442,10 @@ public class Config
                 new Client
                 {
                     ClientId = "login",
-                    
+
                     RedirectUris = { "https://notused" },
                     PostLogoutRedirectUris = { "https://notused" },
-                    
+
                     AllowedGrantTypes = GrantTypes.Implicit,
                     AllowedScopes = AllIdentityScopes,
                 }