Store the Dpop thumbprint to local storage (#940)

Author: pmathew92

auth0/src/main/java/com/auth0/android/authentication/storage/BaseCredentialsManager.kt

@@ -4,6 +4,8 @@ import android.util.Log
 import androidx.annotation.VisibleForTesting
 import com.auth0.android.authentication.AuthenticationAPIClient
 import com.auth0.android.callback.Callback
+import com.auth0.android.dpop.DPoPException
+import com.auth0.android.dpop.DPoPUtil
 import com.auth0.android.result.APICredentials
 import com.auth0.android.result.Credentials
 import com.auth0.android.result.SSOCredentials
@@ -23,7 +25,11 @@ public abstract class BaseCredentialsManager internal constructor(
 
     internal companion object {
         internal const val KEY_DPOP_THUMBPRINT = "com.auth0.dpop_key_thumbprint"
+
+        @VisibleForTesting(otherwise = VisibleForTesting.PACKAGE_PRIVATE)
+        internal const val KEY_TOKEN_TYPE = "com.auth0.token_type"
     }
+
     private var _clock: Clock = ClockImpl()
 
     /**
@@ -159,6 +165,35 @@ public abstract class BaseCredentialsManager internal constructor(
     internal val currentTimeInMillis: Long
         get() = _clock.getCurrentTimeMillis()
 
+    /**
+     * Stores the DPoP key thumbprint if DPoP was used for this credential set.
+     * Uses a dual strategy to store the thumbprint:
+     * - credentials.type == "DPoP" when server confirms DPoP but client lacks useDPoP()
+     * - isDPoPEnabled catches the case where client used DPoP, server returned token_type: "Bearer"
+     */
+    protected fun saveDPoPThumbprint(credentials: Credentials) {
+        val dpopUsed = credentials.type.equals("DPoP", ignoreCase = true)
+                || authenticationClient.isDPoPEnabled
+
+        if (!dpopUsed) {
+            storage.remove(KEY_DPOP_THUMBPRINT)
+            return
+        }
+
+        val thumbprint = try {
+            if (DPoPUtil.hasKeyPair()) DPoPUtil.getPublicKeyJWK() else null
+        } catch (e: DPoPException) {
+            Log.w(this::class.java.simpleName, "Failed to fetch DPoP key thumbprint", e)
+            null
+        }
+
+        if (thumbprint != null) {
+            storage.store(KEY_DPOP_THUMBPRINT, thumbprint)
+        } else {
+            storage.remove(KEY_DPOP_THUMBPRINT)
+        }
+    }
+
     /**
      * Checks if the stored scope is the same as the requested one.
      *

auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt

@@ -75,6 +75,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
         storage.store(KEY_EXPIRES_AT, credentials.expiresAt.time)
         storage.store(KEY_SCOPE, credentials.scope)
         storage.store(LEGACY_KEY_CACHE_EXPIRES_AT, credentials.expiresAt.time)
+        saveDPoPThumbprint(credentials)
     }
 
     /**
@@ -714,6 +715,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
         storage.remove(KEY_EXPIRES_AT)
         storage.remove(KEY_SCOPE)
         storage.remove(LEGACY_KEY_CACHE_EXPIRES_AT)
+        storage.remove(KEY_DPOP_THUMBPRINT)
     }
 
     /**
@@ -761,7 +763,6 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
         private const val KEY_ACCESS_TOKEN = "com.auth0.access_token"
         private const val KEY_REFRESH_TOKEN = "com.auth0.refresh_token"
         private const val KEY_ID_TOKEN = "com.auth0.id_token"
-        private const val KEY_TOKEN_TYPE = "com.auth0.token_type"
         private const val KEY_EXPIRES_AT = "com.auth0.expires_at"
         private const val KEY_SCOPE = "com.auth0.scope"
 

auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManagerException.kt

@@ -215,7 +215,7 @@ public class CredentialsManagerException :
                 Code.SSO_EXCHANGE_FAILED ->"The exchange of the refresh token for SSO credentials failed."
                 Code.MFA_REQUIRED -> "Multi-factor authentication is required to complete the credential renewal."
                 Code.DPOP_KEY_MISSING -> "The stored credentials are DPoP-bound but the DPoP key pair is no longer available in the Android KeyStore. Re-authentication is required."
-                Code.DPOP_NOT_CONFIGURED -> "The stored credentials are DPoP-bound but the AuthenticationAPIClient used by this CredentialsManager was not configured with useDPoP(context). Call AuthenticationAPIClient(auth0).useDPoP(context) and pass the configured client to CredentialsManager."
+                Code.DPOP_NOT_CONFIGURED -> "The stored credentials are DPoP-bound but the AuthenticationAPIClient used by this credentials manager was not configured with useDPoP(context). Call AuthenticationAPIClient(auth0).useDPoP(context) and pass the configured client to the credentials manager."
                 Code.UNKNOWN_ERROR -> "An unknown error has occurred while fetching the token. Please check the error cause for more details."
             }
         }

auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt

@@ -189,6 +189,8 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
             )
             storage.store(LEGACY_KEY_CACHE_EXPIRES_AT, credentials.expiresAt.time)
             storage.store(KEY_CAN_REFRESH, canRefresh)
+            storage.store(KEY_TOKEN_TYPE, credentials.type)
+            saveDPoPThumbprint(credentials)
         } catch (e: IncompatibleDeviceException) {
             throw CredentialsManagerException(
                 CredentialsManagerException.Code.INCOMPATIBLE_DEVICE, e
@@ -735,6 +737,8 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
         storage.remove(KEY_EXPIRES_AT)
         storage.remove(LEGACY_KEY_CACHE_EXPIRES_AT)
         storage.remove(KEY_CAN_REFRESH)
+        storage.remove(KEY_TOKEN_TYPE)
+        storage.remove(KEY_DPOP_THUMBPRINT)
         clearBiometricSession()
         Log.d(TAG, "Credentials were just removed from the storage")
     }
@@ -893,7 +897,8 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
                     callback.onFailure(
                         CredentialsManagerException(
                             CredentialsManagerException.Code.MFA_REQUIRED,
-                            error.message ?: "Multi-factor authentication is required to complete the credential renewal.",
+                            error.message
+                                ?: "Multi-factor authentication is required to complete the credential renewal.",
                             error,
                             error.mfaRequiredErrorPayload
                         )
@@ -1051,7 +1056,8 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
                     callback.onFailure(
                         CredentialsManagerException(
                             CredentialsManagerException.Code.MFA_REQUIRED,
-                            error.message ?: "Multi-factor authentication is required to complete the credential renewal.",
+                            error.message
+                                ?: "Multi-factor authentication is required to complete the credential renewal.",
                             error,
                             error.mfaRequiredErrorPayload
                         )
@@ -1251,6 +1257,7 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
         @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
         internal const val KEY_ALIAS = "com.auth0.key"
 
+
         // Using NO_SESSION to represent "no session" (uninitialized state)
         private const val NO_SESSION = -1L
     }