Added case to generate key pair for embedded login flow

Author: pmathew92

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

@@ -1,5 +1,6 @@
 package com.auth0.android.authentication
 
+import android.content.Context
 import androidx.annotation.VisibleForTesting
 import com.auth0.android.Auth0
 import com.auth0.android.Auth0Exception
@@ -67,8 +68,8 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
     /**
      * Enable DPoP for this client.
      */
-    public override fun useDPoP(): AuthenticationAPIClient {
-        dPoP = DPoP()
+    public override fun useDPoP(context: Context): AuthenticationAPIClient {
+        dPoP = DPoP(context)
         return this
     }
 

auth0/src/main/java/com/auth0/android/dpop/DPoP.kt

@@ -22,10 +22,11 @@ public data class HeaderData(val authorizationHeader: String, val dpopProof: Str
  * Class for securing requests with DPoP (Demonstrating Proof of Possession) as described in
  * [RFC 9449](https://datatracker.ietf.org/doc/html/rfc9449).
  */
-public class DPoP {
+public class DPoP(private val context: Context) {
 
     /**
-     * Determines whether a DPoP proof should be generated for the given URL and parameters.
+     * Determines whether a DPoP proof should be generated for the given URL and parameters. The proof should
+     * only be generated for the `token` endpoint for a fresh login scenario or when a key-pair already exists.
      *
      * @param url The URL of the request
      * @param parameters The request parameters as a map
@@ -77,7 +78,7 @@ public class DPoP {
      * @throws DPoPException if there is an error generating the key pair or accessing the keystore.
      */
     @Throws(DPoPException::class)
-    internal fun generateKeyPair(context: Context) {
+    internal fun generateKeyPair() {
         DPoPUtil.generateKeyPair(context)
     }
 
@@ -89,8 +90,8 @@ public class DPoP {
      * @throws DPoPException if there is an error accessing the key pair.
      */
     @Throws(DPoPException::class)
-    internal fun getPublicKeyJWK(context: Context): String? {
-        generateKeyPair(context)
+    internal fun getPublicKeyJWK(): String? {
+        generateKeyPair()
         return DPoPUtil.getPublicKeyJWK()
     }
 

auth0/src/main/java/com/auth0/android/dpop/SenderConstraining.kt

@@ -1,5 +1,7 @@
 package com.auth0.android.dpop
 
+import android.content.Context
+
 /**
  * Interface for SenderConstraining
  */
@@ -8,5 +10,5 @@ public interface SenderConstraining<T : SenderConstraining<T>> {
     /**
      * Method to enable DPoP in the request.
      */
-    public fun useDPoP(): T
+    public fun useDPoP(context: Context): T
 }

auth0/src/main/java/com/auth0/android/provider/OAuthManager.kt

@@ -63,10 +63,10 @@ internal class OAuthManager(
 
     fun startAuthentication(context: Context, redirectUri: String, requestCode: Int) {
         OidcUtils.includeDefaultScope(parameters)
-        addPKCEParameters(parameters, redirectUri, headers)
+        addPKCEParameters(parameters, redirectUri, headers, context)
         addClientParameters(parameters, redirectUri)
         try {
-            addDPoPJWKParameters(parameters, context)
+            addDPoPJWKParameters(parameters)
         } catch (ex: DPoPException) {
             callback.onFailure(
                 AuthenticationException(
@@ -273,9 +273,10 @@ internal class OAuthManager(
     private fun addPKCEParameters(
         parameters: MutableMap<String, String>,
         redirectUri: String,
-        headers: Map<String, String>
+        headers: Map<String, String>,
+        context: Context
     ) {
-        createPKCE(redirectUri, headers)
+        createPKCE(redirectUri, headers,context)
         val codeChallenge = pkce!!.codeChallenge
         parameters[KEY_CODE_CHALLENGE] = codeChallenge
         parameters[KEY_CODE_CHALLENGE_METHOD] = METHOD_SHA_256
@@ -295,14 +296,18 @@ internal class OAuthManager(
         parameters[KEY_REDIRECT_URI] = redirectUri
     }
 
-    private fun createPKCE(redirectUri: String, headers: Map<String, String>) {
+    private fun createPKCE(redirectUri: String, headers: Map<String, String>,context: Context) {
         if (pkce == null) {
+            // Enable DPoP on the AuthenticationClient if DPoP is set in the WebAuthProvider class
+            dPoP?.let {
+                apiClient.useDPoP(context)
+            }
             pkce = PKCE(apiClient, redirectUri, headers)
         }
     }
 
-    private fun addDPoPJWKParameters(parameters: MutableMap<String, String>, context: Context) {
-        dPoP?.getPublicKeyJWK(context)?.let {
+    private fun addDPoPJWKParameters(parameters: MutableMap<String, String>) {
+        dPoP?.getPublicKeyJWK()?.let {
             parameters["dpop_jkt"] = it
         }
     }
@@ -376,10 +381,6 @@ internal class OAuthManager(
         this.parameters = parameters.toMutableMap()
         this.parameters[KEY_RESPONSE_TYPE] = RESPONSE_TYPE_CODE
         apiClient = AuthenticationAPIClient(account)
-        // Enable DPoP on the AuthenticationClient if DPoP is set in the WebAuthProvider class
-        dPoP?.let {
-            apiClient.useDPoP()
-        }
         this.ctOptions = ctOptions
     }
 }
@@ -398,7 +399,7 @@ internal fun OAuthManager.Companion.fromState(
         setHeaders(
             state.headers
         )
-         setPKCE(state.pkce)
+        setPKCE(state.pkce)
         setIdTokenVerificationIssuer(state.idTokenVerificationIssuer)
         setIdTokenVerificationLeeway(state.idTokenVerificationLeeway)
     }

auth0/src/main/java/com/auth0/android/provider/WebAuthProvider.kt

@@ -50,8 +50,8 @@ public object WebAuthProvider : SenderConstraining<WebAuthProvider> {
     }
 
     // Public methods
-    public override fun useDPoP(): WebAuthProvider {
-        dPoP = DPoP()
+    public override fun useDPoP(context: Context): WebAuthProvider {
+        dPoP = DPoP(context)
         return this
     }
 

auth0/src/main/java/com/auth0/android/request/internal/BaseRequest.kt

@@ -129,6 +129,7 @@ internal open class BaseRequest<T, U : Auth0Exception>(
         val response: ServerResponse
         try {
             if (dPoP?.shouldGenerateProof(url, options.parameters) == true) {
+                dPoP.generateKeyPair()
                 dPoP.generateProof(url, method, options.headers)?.let {
                     options.headers[DPoPUtil.DPOP_HEADER] = it
                 }

auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt

@@ -48,7 +48,6 @@ import org.junit.After
 import org.junit.Before
 import org.junit.Test
 import org.junit.runner.RunWith
-import org.mockito.Mockito.`when`
 import org.robolectric.RobolectricTestRunner
 import org.robolectric.annotation.Config
 import org.robolectric.shadows.ShadowLooper
@@ -65,11 +64,13 @@ public class AuthenticationAPIClientTest {
     private lateinit var gson: Gson
     private lateinit var mockAPI: AuthenticationAPIMockServer
     private lateinit var mockKeyStore: DPoPKeyStore
+    private lateinit var mockContext: Context
 
     @Before
     public fun setUp() {
         mockAPI = AuthenticationAPIMockServer()
         mockKeyStore = mock()
+        mockContext = mock()
         val auth0 = auth0
         client = AuthenticationAPIClient(auth0)
         gson = GsonBuilder().serializeNulls().create()
@@ -2768,7 +2769,7 @@ public class AuthenticationAPIClientTest {
         val callback = MockAuthenticationCallback<Credentials>()
 
         // Enable DPoP
-        client.useDPoP().login(SUPPORT_AUTH0_COM, PASSWORD, MY_CONNECTION)
+        client.useDPoP(mockContext).login(SUPPORT_AUTH0_COM, PASSWORD, MY_CONNECTION)
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2789,7 +2790,7 @@ public class AuthenticationAPIClientTest {
         mockAPI.willReturnSuccessfulLogin()
         val callback = MockAuthenticationCallback<Credentials>()
 
-        client.useDPoP().login(SUPPORT_AUTH0_COM, PASSWORD, MY_CONNECTION)
+        client.useDPoP(mockContext).login(SUPPORT_AUTH0_COM, PASSWORD, MY_CONNECTION)
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2811,7 +2812,7 @@ public class AuthenticationAPIClientTest {
         mockAPI.willReturnSuccessfulLogin()
         val callback = MockAuthenticationCallback<Credentials>()
 
-        client.useDPoP().token("auth-code", "code-verifier", "http://redirect.uri")
+        client.useDPoP(mockContext).token("auth-code", "code-verifier", "http://redirect.uri")
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2852,7 +2853,7 @@ public class AuthenticationAPIClientTest {
         mockAPI.willReturnUserInfo()
         val callback = MockAuthenticationCallback<UserProfile>()
 
-        client.useDPoP().userInfo("ACCESS_TOKEN", "DPoP")
+        client.useDPoP(mockContext).userInfo("ACCESS_TOKEN", "DPoP")
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2896,7 +2897,7 @@ public class AuthenticationAPIClientTest {
         val callback = MockAuthenticationCallback<DatabaseUser>()
 
         // DPoP is enabled but signup endpoint should not get DPoP header
-        client.useDPoP().createUser(SUPPORT_AUTH0_COM, PASSWORD, SUPPORT, MY_CONNECTION)
+        client.useDPoP(mockContext).createUser(SUPPORT_AUTH0_COM, PASSWORD, SUPPORT, MY_CONNECTION)
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2919,7 +2920,7 @@ public class AuthenticationAPIClientTest {
         val callback = MockAuthenticationCallback<Void>()
 
         // DPoP is enabled but passwordless endpoint should not get DPoP header
-        client.useDPoP().passwordlessWithEmail(SUPPORT_AUTH0_COM, PasswordlessType.CODE)
+        client.useDPoP(mockContext).passwordlessWithEmail(SUPPORT_AUTH0_COM, PasswordlessType.CODE)
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2938,7 +2939,7 @@ public class AuthenticationAPIClientTest {
         val callback = MockAuthenticationCallback<Map<String, PublicKey>>()
 
         // DPoP is enabled but JWKS endpoint should not get DPoP header
-        client.useDPoP().fetchJsonWebKeys()
+        client.useDPoP(mockContext).fetchJsonWebKeys()
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2956,7 +2957,7 @@ public class AuthenticationAPIClientTest {
         mockAPI.willReturnSuccessfulLogin()
         val callback = MockAuthenticationCallback<Credentials>()
 
-        client.useDPoP().customTokenExchange("subject-token-type", "subject-token")
+        client.useDPoP(mockContext).customTokenExchange("subject-token-type", "subject-token")
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -2983,7 +2984,7 @@ public class AuthenticationAPIClientTest {
         mockAPI.willReturnSuccessfulLogin()
         val callback = MockAuthenticationCallback<SSOCredentials>()
 
-        client.useDPoP().ssoExchange("refresh-token")
+        client.useDPoP(mockContext).ssoExchange("refresh-token")
             .start(callback)
         ShadowLooper.idleMainLooper()
 
@@ -3005,7 +3006,7 @@ public class AuthenticationAPIClientTest {
         mockAPI.willReturnSuccessfulLogin()
         val callback = MockAuthenticationCallback<Credentials>()
 
-        client.useDPoP().login(SUPPORT_AUTH0_COM, PASSWORD, MY_CONNECTION)
+        client.useDPoP(mockContext).login(SUPPORT_AUTH0_COM, PASSWORD, MY_CONNECTION)
             .start(callback)
         ShadowLooper.idleMainLooper()
 

auth0/src/test/java/com/auth0/android/dpop/DPoPTest.kt

@@ -47,7 +47,7 @@ public class DPoPTest {
         mockResponse = mock()
         mockKeyStore = mock()
         mockResponseBody = mock()
-        dPoP = DPoP()
+        dPoP = DPoP(mockContext)
 
         DPoP._auth0Nonce = null
 
@@ -158,7 +158,7 @@ public class DPoPTest {
     public fun `generateKeyPair should delegate to DPoPUtil`() {
         whenever(mockKeyStore.hasKeyPair()).thenReturn(false)
 
-        dPoP.generateKeyPair(mockContext)
+        dPoP.generateKeyPair()
 
         verify(mockKeyStore).generateKeyPair(mockContext)
     }
@@ -173,7 +173,7 @@ public class DPoPTest {
         )
 
         try {
-            dPoP.generateKeyPair(mockContext)
+            dPoP.generateKeyPair()
             Assert.fail("Expected DPoPException to be thrown")
         } catch (e: DPoPException) {
             assertThat(e, `is`(exception))
@@ -186,7 +186,7 @@ public class DPoPTest {
         whenever(mockKeyStore.hasKeyPair()).thenReturn(false).thenReturn(true)
         whenever(mockKeyStore.getKeyPair()).thenReturn(Pair(fakePrivateKey, fakePublicKey))
 
-        val result = dPoP.getPublicKeyJWK(mockContext)
+        val result = dPoP.getPublicKeyJWK()
 
         verify(mockKeyStore).generateKeyPair(mockContext)
         assertThat(result, `is`(testPublicJwkHash))
@@ -197,7 +197,7 @@ public class DPoPTest {
         whenever(mockKeyStore.hasKeyPair()).thenReturn(true)
         whenever(mockKeyStore.getKeyPair()).thenReturn(Pair(fakePrivateKey, fakePublicKey))
 
-        val result = dPoP.getPublicKeyJWK(mockContext)
+        val result = dPoP.getPublicKeyJWK()
 
         assertThat(result, `is`(testPublicJwkHash))
     }
@@ -206,7 +206,7 @@ public class DPoPTest {
     public fun `getPublicKeyJWK should return null when key pair generation fails`() {
         whenever(mockKeyStore.hasKeyPair()).thenReturn(false).thenReturn(false)
 
-        val result = dPoP.getPublicKeyJWK(mockContext)
+        val result = dPoP.getPublicKeyJWK()
 
         verify(mockKeyStore).generateKeyPair(mockContext)
         assertThat(result, `is`(nullValue()))
@@ -504,11 +504,11 @@ public class DPoPTest {
         whenever(mockKeyStore.getKeyPair()).thenReturn(Pair(fakePrivateKey, fakePublicKey))
 
         // 1. Generate key pair
-        dPoP.generateKeyPair(mockContext)
+        dPoP.generateKeyPair()
         verify(mockKeyStore).generateKeyPair(mockContext)
 
         // 2. Get JWK thumbprint
-        val jwkThumbprint = dPoP.getPublicKeyJWK(mockContext)
+        val jwkThumbprint = dPoP.getPublicKeyJWK()
         assertThat(jwkThumbprint, `is`(testPublicJwkHash))
 
         // 3. Store nonce from response

auth0/src/test/java/com/auth0/android/dpop/DPoPUtilTest.kt

@@ -356,7 +356,7 @@ public class DPoPUtilTest {
         whenever(mockKeyStore.hasKeyPair()).thenReturn(true)
         DPoPUtil.generateKeyPair(mockContext)
         verify(mockKeyStore).hasKeyPair()
-        verify(mockKeyStore, never()).generateKeyPair(any())
+        verify(mockKeyStore, never()).generateKeyPair(any(), any())
     }
 
     @Test