Saving the Dpop thumbprint

pmathew92 · pmathew92 · commit dac4dce02b5f · 2026-03-24T14:39:39.000+05:30
diff --git a/auth0/src/main/java/com/auth0/android/authentication/storage/BaseCredentialsManager.kt b/auth0/src/main/java/com/auth0/android/authentication/storage/BaseCredentialsManager.kt
@@ -4,6 +4,8 @@ import android.util.Log
 import androidx.annotation.VisibleForTesting
 import com.auth0.android.authentication.AuthenticationAPIClient
 import com.auth0.android.callback.Callback
+import com.auth0.android.dpop.DPoPException
+import com.auth0.android.dpop.DPoPUtil
 import com.auth0.android.result.APICredentials
 import com.auth0.android.result.Credentials
 import com.auth0.android.result.SSOCredentials
@@ -159,6 +161,29 @@ public abstract class BaseCredentialsManager internal constructor(
     internal val currentTimeInMillis: Long
         get() = _clock.getCurrentTimeMillis()
 
+    /**
+     * Stores the DPoP key thumbprint if DPoP was used for this credential set.
+     * Uses a dual strategy to store the thumbprint:
+     * - credentials.type == "DPoP" when server confirms DPoP but client lacks useDPoP()
+     * - isDPoPEnabled catches the case where client used DPoP, server returned token_type: "Bearer"
+     */
+    protected fun saveDPoPThumbprint(credentials: Credentials) {
+        val dpopUsed = credentials.type.equals("DPoP", ignoreCase = true)
+            || authenticationClient.isDPoPEnabled
+        if (dpopUsed && DPoPUtil.hasKeyPair()) {
+            try {
+                val thumbprint = DPoPUtil.getPublicKeyJWK()
+                if (thumbprint != null) {
+                    storage.store(KEY_DPOP_THUMBPRINT, thumbprint)
+                }
+            } catch (e: DPoPException) {
+                Log.w(this::class.java.simpleName, "Failed to store DPoP key thumbprint", e)
+            }
+        } else {
+            storage.remove(KEY_DPOP_THUMBPRINT)
+        }
+    }
+
     /**
      * Checks if the stored scope is the same as the requested one.
      *
diff --git a/auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt b/auth0/src/main/java/com/auth0/android/authentication/storage/CredentialsManager.kt
@@ -75,6 +75,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
         storage.store(KEY_EXPIRES_AT, credentials.expiresAt.time)
         storage.store(KEY_SCOPE, credentials.scope)
         storage.store(LEGACY_KEY_CACHE_EXPIRES_AT, credentials.expiresAt.time)
+        saveDPoPThumbprint(credentials)
     }
 
     /**
@@ -714,6 +715,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting
         storage.remove(KEY_EXPIRES_AT)
         storage.remove(KEY_SCOPE)
         storage.remove(LEGACY_KEY_CACHE_EXPIRES_AT)
+        storage.remove(KEY_DPOP_THUMBPRINT)
     }
 
     /**
diff --git a/auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt b/auth0/src/main/java/com/auth0/android/authentication/storage/SecureCredentialsManager.kt
@@ -189,6 +189,8 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
             )
             storage.store(LEGACY_KEY_CACHE_EXPIRES_AT, credentials.expiresAt.time)
             storage.store(KEY_CAN_REFRESH, canRefresh)
+            storage.store(KEY_TOKEN_TYPE, credentials.type)
+            saveDPoPThumbprint(credentials)
         } catch (e: IncompatibleDeviceException) {
             throw CredentialsManagerException(
                 CredentialsManagerException.Code.INCOMPATIBLE_DEVICE, e
@@ -735,6 +737,8 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
         storage.remove(KEY_EXPIRES_AT)
         storage.remove(LEGACY_KEY_CACHE_EXPIRES_AT)
         storage.remove(KEY_CAN_REFRESH)
+        storage.remove(KEY_TOKEN_TYPE)
+        storage.remove(KEY_DPOP_THUMBPRINT)
         clearBiometricSession()
         Log.d(TAG, "Credentials were just removed from the storage")
     }
@@ -1251,6 +1255,9 @@ public class SecureCredentialsManager @VisibleForTesting(otherwise = VisibleForT
         @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
         internal const val KEY_ALIAS = "com.auth0.key"
 
+        @VisibleForTesting(otherwise = VisibleForTesting.PRIVATE)
+        internal const val KEY_TOKEN_TYPE = "com.auth0.token_type"
+
         // Using NO_SESSION to represent "no session" (uninitialized state)
         private const val NO_SESSION = -1L
     }

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting`
`75`	`75`	`storage.store(KEY_EXPIRES_AT, credentials.expiresAt.time)`
`76`	`76`	`storage.store(KEY_SCOPE, credentials.scope)`
`77`	`77`	`storage.store(LEGACY_KEY_CACHE_EXPIRES_AT, credentials.expiresAt.time)`
	`78`	`+ saveDPoPThumbprint(credentials)`
`78`	`79`	`}`
`79`	`80`
`80`	`81`	`/**`
`@@ -714,6 +715,7 @@ public class CredentialsManager @VisibleForTesting(otherwise = VisibleForTesting`
`714`	`715`	`storage.remove(KEY_EXPIRES_AT)`
`715`	`716`	`storage.remove(KEY_SCOPE)`
`716`	`717`	`storage.remove(LEGACY_KEY_CACHE_EXPIRES_AT)`
	`718`	`+ storage.remove(KEY_DPOP_THUMBPRINT)`
`717`	`719`	`}`
`718`	`720`
`719`	`721`	`/**`