Allow DPoP-bound OAuth access tokens

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - [EE] Added mermaid diagram rendering to Ask Sourcebot answers, with pan/zoom, copy/export, in-thread deep links, and an interleaved right-panel view. [#1369](https://github.com/sourcebot-dev/sourcebot/pull/1369)
 - [EE] Added a context-window usage gauge to the Ask Sourcebot chat details, showing how much of the selected model's context window each turn occupies. Window sizes are resolved from the models.dev catalog. [#1370](https://github.com/sourcebot-dev/sourcebot/pull/1370)
 - Added language model input-modality and document capability resolution, automatically resolved from the models.dev catalog (falls back to text-only for uncatalogued/self-hosted models). [#1372](https://github.com/sourcebot-dev/sourcebot/pull/1372)
+- [EE] Added DPoP sender-constrained OAuth tokens for MCP clients. [#1395](https://github.com/sourcebot-dev/sourcebot/pull/1395)
 
 ### Fixed
 - Send anonymous server-side PostHog events as personless so unauthenticated requests don't inflate person counts. [#1367](https://github.com/sourcebot-dev/sourcebot/pull/1367)

packages/db/prisma/migrations/20260629193000_add_oauth_dpop_binding/migration.sql

@@ -0,0 +1,5 @@
+ALTER TABLE "OAuthAuthorizationCode" ADD COLUMN "dpopJkt" TEXT;
+
+ALTER TABLE "OAuthRefreshToken" ADD COLUMN "dpopJkt" TEXT;
+
+ALTER TABLE "OAuthToken" ADD COLUMN "dpopJkt" TEXT;

packages/db/prisma/schema.prisma

@@ -654,6 +654,7 @@ model OAuthAuthorizationCode {
   redirectUri   String
   codeChallenge String // BASE64URL(SHA-256(codeVerifier))
   resource      String? // RFC 8707: canonical URI of the target resource server
+  dpopJkt       String? // RFC 9449: DPoP JWK SHA-256 thumbprint binding
   expiresAt     DateTime
   createdAt     DateTime    @default(now())
 }
@@ -667,6 +668,7 @@ model OAuthRefreshToken {
   user      User        @relation(fields: [userId], references: [id], onDelete: Cascade)
   scope     String      @default("")
   resource  String? // RFC 8707
+  dpopJkt   String? // RFC 9449
   expiresAt DateTime
   createdAt DateTime    @default(now())
 
@@ -682,6 +684,7 @@ model OAuthToken {
   user       User        @relation(fields: [userId], references: [id], onDelete: Cascade)
   scope      String      @default("")
   resource   String? // RFC 8707: canonical URI of the target resource server
+  dpopJkt    String? // RFC 9449: DPoP JWK SHA-256 thumbprint binding
   expiresAt  DateTime
   createdAt  DateTime    @default(now())
   lastUsedAt DateTime?

packages/web/src/__mocks__/prisma.ts

@@ -55,6 +55,7 @@ export const MOCK_OAUTH_TOKEN: OAuthToken & { user: User & { accounts: Account[]
     userId: MOCK_USER_WITH_ACCOUNTS.id,
     scope: '',
     resource: null,
+    dpopJkt: null,
     expiresAt: new Date(Date.now() + 1000 * 60 * 60), // 1 hour from now
     createdAt: new Date(),
     lastUsedAt: null,
@@ -67,8 +68,9 @@ export const MOCK_REFRESH_TOKEN: OAuthRefreshToken = {
     userId: MOCK_USER_WITH_ACCOUNTS.id,
     scope: '',
     resource: null,
+    dpopJkt: null,
     expiresAt: new Date(Date.now() + 1000 * 60 * 60 * 24 * 90), // 90 days from now
     createdAt: new Date(),
 }
 
-export const userScopedPrismaClientExtension = vi.fn();
+export const userScopedPrismaClientExtension = vi.fn();

packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts

@@ -2,6 +2,7 @@ import { oauthApiHandler } from '@/ee/features/oauth/apiHandler';
 import { env } from '@sourcebot/shared';
 import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 import { hasEntitlement } from '@/lib/entitlements';
+import { SUPPORTED_DPOP_SIGNING_ALGS } from '@/ee/features/oauth/dpop';
 
 // RFC 8414: OAuth 2.0 Authorization Server Metadata
 // @see: https://datatracker.ietf.org/doc/html/rfc8414
@@ -26,6 +27,7 @@ export const GET = oauthApiHandler(async () => {
         grant_types_supported: ['authorization_code', 'refresh_token'],
         code_challenge_methods_supported: ['S256'],
         token_endpoint_auth_methods_supported: ['none'],
+        dpop_signing_alg_values_supported: SUPPORTED_DPOP_SIGNING_ALGS,
         service_documentation: 'https://docs.sourcebot.dev',
     });
 });

packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts

@@ -37,5 +37,6 @@ export const GET = oauthApiHandler(async (_request: NextRequest, { params }: { p
         authorization_servers: [
             issuer
         ],
+        bearer_methods_supported: ['header'],
     });
 });

packages/web/src/app/api/(server)/ee/mcp/route.ts

@@ -22,10 +22,14 @@ async function mcpErrorResponse(error: ServiceError): Promise<Response> {
     const response = serviceErrorResponse(error);
     if (error.statusCode === StatusCodes.UNAUTHORIZED && await hasEntitlement('oauth')) {
         const issuer = env.AUTH_URL.replace(/\/$/, '');
-        response.headers.set(
+        response.headers.append(
             'WWW-Authenticate',
             `Bearer realm="Sourcebot", resource_metadata_uri="${issuer}/.well-known/oauth-protected-resource/api/mcp"`
         );
+        response.headers.append(
+            'WWW-Authenticate',
+            `DPoP realm="Sourcebot", resource_metadata_uri="${issuer}/.well-known/oauth-protected-resource/api/mcp"`
+        );
     }
     return response;
 }

packages/web/src/app/api/(server)/ee/oauth/token/route.ts

@@ -4,6 +4,7 @@ import { env } from '@sourcebot/shared';
 import { NextRequest } from 'next/server';
 import { OAUTH_NOT_SUPPORTED_ERROR_MESSAGE } from '@/ee/features/oauth/constants';
 import { hasEntitlement } from '@/lib/entitlements';
+import { DPOP_PROOF_HEADER, DPOP_TOKEN_TYPE, verifyDpopProof } from '@/ee/features/oauth/dpop';
 
 // OAuth 2.0 Token Endpoint
 // Supports grant_type=authorization_code with PKCE (RFC 7636).
@@ -30,6 +31,20 @@ export const POST = oauthApiHandler(async (request: NextRequest) => {
         );
     }
 
+    const dpopProof = request.headers.get(DPOP_PROOF_HEADER);
+    const dpopProofResult = dpopProof
+        ? await verifyDpopProof({ request, proof: dpopProof })
+        : null;
+
+    if (dpopProofResult && !dpopProofResult.ok) {
+        return Response.json(
+            { error: dpopProofResult.error, error_description: dpopProofResult.errorDescription },
+            { status: 400 }
+        );
+    }
+
+    const dpopJkt = dpopProofResult?.ok ? dpopProofResult.jkt : null;
+
     if (grantType === 'authorization_code') {
         const code = formData.get('code');
         const redirectUri = formData.get('redirect_uri');
@@ -48,6 +63,7 @@ export const POST = oauthApiHandler(async (request: NextRequest) => {
             redirectUri: redirectUri.toString(),
             codeVerifier: codeVerifier.toString(),
             resource: resource ? resource.toString() : null,
+            dpopJkt,
         });
 
         if ('error' in result) {
@@ -60,7 +76,7 @@ export const POST = oauthApiHandler(async (request: NextRequest) => {
         return Response.json({
             access_token: result.token,
             refresh_token: result.refreshToken,
-            token_type: 'Bearer',
+            token_type: result.dpopJkt ? DPOP_TOKEN_TYPE : 'Bearer',
             expires_in: env.OAUTH_ACCESS_TOKEN_TTL_SECONDS,
             scope: '',
         });
@@ -80,6 +96,7 @@ export const POST = oauthApiHandler(async (request: NextRequest) => {
             rawRefreshToken: rawRefreshToken.toString(),
             clientId: clientId.toString(),
             resource: resource ? resource.toString() : null,
+            dpopJkt,
         });
 
         if ('error' in result) {
@@ -92,7 +109,7 @@ export const POST = oauthApiHandler(async (request: NextRequest) => {
         return Response.json({
             access_token: result.token,
             refresh_token: result.refreshToken,
-            token_type: 'Bearer',
+            token_type: result.dpopJkt ? DPOP_TOKEN_TYPE : 'Bearer',
             expires_in: env.OAUTH_ACCESS_TOKEN_TTL_SECONDS,
             scope: '',
         });

packages/web/src/app/oauth/authorize/components/consentScreen.tsx

@@ -18,6 +18,7 @@ interface ConsentScreenProps {
     redirectUri: string;
     codeChallenge: string;
     resource: string | null;
+    dpopJkt: string | null;
     state: string | undefined;
     userEmail: string;
 }
@@ -29,6 +30,7 @@ export function ConsentScreen({
     redirectUri,
     codeChallenge,
     resource,
+    dpopJkt,
     state,
     userEmail,
 }: ConsentScreenProps) {
@@ -43,7 +45,7 @@ export function ConsentScreen({
     const onApprove = async () => {
         captureEvent('wa_oauth_authorization_approved', { clientId, clientName });
         setPending('approve');
-        const result = await approveAuthorization({ clientId, redirectUri, codeChallenge, resource, state });
+        const result = await approveAuthorization({ clientId, redirectUri, codeChallenge, resource, dpopJkt, state });
         if (!isServiceError(result)) {
             if (!isPermittedRedirectUrl(result)) {
                 toast({ description: `❌ Redirect URL is not permitted.` });

packages/web/src/app/oauth/authorize/page.tsx

@@ -4,6 +4,7 @@ import { ConsentScreen } from './components/consentScreen';
 import { __unsafePrisma } from '@/prisma';
 import { hasEntitlement } from '@/lib/entitlements';
 import { redirect } from 'next/navigation';
+import { isValidDpopJkt } from '@/ee/features/oauth/dpop';
 
 export const dynamic = 'force-dynamic';
 
@@ -16,6 +17,7 @@ interface AuthorizePageProps {
         response_type?: string;
         state?: string;
         resource?: string | string[];
+        dpop_jkt?: string | string[];
     }>;
 }
 
@@ -25,13 +27,14 @@ export default async function AuthorizePage({ searchParams }: AuthorizePageProps
     }
 
     const params = await searchParams;
-    const { client_id, redirect_uri, code_challenge, code_challenge_method, response_type, state, resource: _resource } = params;
+    const { client_id, redirect_uri, code_challenge, code_challenge_method, response_type, state, resource: _resource, dpop_jkt: _dpopJkt } = params;
 
     // RFC 8707 allows multiple resource parameters to indicate a token intended for multiple resources.
     // Sourcebot only supports a single resource (the MCP endpoint), so we take the first value.
     //
     // @see: https://www.rfc-editor.org/rfc/rfc8707.html#section-2-2.2
     const resource = Array.isArray(_resource) ? _resource[0] : _resource;
+    const dpopJkt = Array.isArray(_dpopJkt) ? _dpopJkt[0] : _dpopJkt;
 
     // Validate required parameters. Per spec, do NOT redirect on client errors —
     // show an error page instead to avoid open redirect vulnerabilities.
@@ -47,6 +50,10 @@ export default async function AuthorizePage({ searchParams }: AuthorizePageProps
         return <ErrorPage message={`Unsupported code_challenge_method: ${code_challenge_method}. Only "S256" is supported.`} />;
     }
 
+    if (dpopJkt && !isValidDpopJkt(dpopJkt)) {
+        return <ErrorPage message="Invalid dpop_jkt parameter." />;
+    }
+
     const client = await __unsafePrisma.oAuthClient.findUnique({ where: { id: client_id } });
 
     if (!client) {
@@ -74,6 +81,7 @@ export default async function AuthorizePage({ searchParams }: AuthorizePageProps
                 redirectUri={redirect_uri!}
                 codeChallenge={code_challenge!}
                 resource={resource ?? null}
+                dpopJkt={dpopJkt ?? null}
                 state={state}
                 userEmail={session!.user.email!}
             />

packages/web/src/ee/features/oauth/actions.ts

@@ -4,6 +4,9 @@ import { sew } from "@/middleware/sew";
 import { generateAndStoreAuthCode } from '@/ee/features/oauth/server';
 import { withAuth } from '@/middleware/withAuth';
 import { UNPERMITTED_SCHEMES } from '@/ee/features/oauth/constants';
+import { isValidDpopJkt } from '@/ee/features/oauth/dpop';
+import { ErrorCode } from '@/lib/errorCodes';
+import { StatusCodes } from 'http-status-codes';
 
 export interface ConnectedOauthClient {
     id: string;
@@ -38,21 +41,32 @@ export const approveAuthorization = async ({
     redirectUri,
     codeChallenge,
     resource,
+    dpopJkt,
     state,
 }: {
     clientId: string;
     redirectUri: string;
     codeChallenge: string;
     resource: string | null;
+    dpopJkt: string | null;
     state: string | undefined;
 }) => sew(() =>
     withAuth(async ({ user }) => {
+        if (dpopJkt !== null && !isValidDpopJkt(dpopJkt)) {
+            return {
+                statusCode: StatusCodes.BAD_REQUEST,
+                errorCode: ErrorCode.INVALID_QUERY_PARAMS,
+                message: 'Invalid dpop_jkt parameter.',
+            };
+        }
+
         const rawCode = await generateAndStoreAuthCode({
             clientId,
             userId: user.id,
             redirectUri,
             codeChallenge,
             resource,
+            dpopJkt,
         });
 
         const callbackUrl = new URL(redirectUri);