Move DPoP option to the capability section in the admin UI

Closes #42746 Signed-off-by: rmartinc <rmartinc@redhat.com>
2026-01-10 15:32:05 -03:30 · 2025-09-22 11:32:30 +02:00 · 2025-09-22 11:32:30 +02:00 · 2015e08e38
commit 2015e08e38
parent f560ea8f29
4 changed files with 14 additions and 18 deletions
--- a/docs/documentation/server_admin/topics/clients/oidc/con-advanced-settings.adoc
+++ b/docs/documentation/server_admin/topics/clients/oidc/con-advanced-settings.adoc
@ -104,7 +104,7 @@ DPoP binds an access token and a refresh token together with the public part of

 This type of token is a holder-of-key token. Unlike bearer tokens, the recipient of a holder-of-key token can verify if the sender of the token is legitimate.

-If the client switch `Require Demonstrating Proof of Possession (DPoP) header in token requests` is on, the workflow is:
+If the client switch `Require DPoP bound tokens` is on (*Settings tab*, section *Capability config*), the workflow is:

 . A token request is sent to the token endpoint in an authorization code flow or hybrid flow.
 . {project_name} requests a DPoP proof.
@ -113,7 +113,7 @@ If the client switch `Require Demonstrating Proof of Possession (DPoP) header in

 If verification fails, {project_name} rejects the token.

-If the switch `Require Demonstrating Proof of Possession (DPoP) header in token requests` is off, the client can still send `DPoP` proof in the token request. In that case, {project_name} will verify DPoP proof
+If the switch `Require DPoP bound tokens` is off, the client can still send `DPoP` proof in the token request. In that case, {project_name} will verify DPoP proof
 and will add the thumbprint to the token. But if the switch is off, DPoP binding is not enforced by the {project_name} server for this client. It is recommended to have this switch
 on if you want to make sure that particular client always uses DPoP binding.

--- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
+++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties
@ -47,7 +47,7 @@ policyUrl=Policy URL
 clientDescriptionHelp=Specifies description of the client. For example 'My Client for TimeSheets'. Supports keys for localized values as well. For example\: ${my_client_description}.
 rolesPermissionsHint=Determines if fine grained permissions are enabled for managing this role. Disabling will delete all current permissions that have been set up.
 passwordPoliciesHelp.regexPattern=Requires that the password matches one or more defined Java regular expression patterns.
-oAuthDPoP=Require Demonstrating Proof of Possession (DPoP) header in token requests
+oAuthDPoP=Require DPoP bound tokens
 invalidRealmName=Realm name can't contain special characters
 validRedirectURIsHelp=Valid URI pattern a browser can redirect to after a successful login. Simple wildcards are allowed such as 'http\://example.com/*'. Relative path can be specified too such as /my/relative/path/*. Relative paths are relative to the client root URL, or if none is specified the auth server root URL is used. For SAML, you must set valid URI patterns if you are relying on the consumer service URL embedded with the login request.
 realmNameTitle={{name}} realm
@ -1935,7 +1935,7 @@ scopePermissions.groups.view-description=Policies that decide if an administrato
 tokens=Tokens
 createFlow=Create flow
 encryptAssertionsHelp=Should SAML assertions be encrypted with client's public key?
-oAuthDPoPHelp=This enables support for Demonstrating Proof-of-Possession (DPoP) bound tokens. The access and refresh tokens are bound to the key stored on the user agent. In order to prove the possession of the key, the user agent must send a signed proof alongside the token.
+oAuthDPoPHelp=This enables support for Demonstrating Proof-of-Possession (DPoP) bound tokens. For public clients, both access and refresh tokens are bound to the key stored on the user agent. In order to prove the possession of the key, the user agent must send a signed proof alongside the token. For confidential clients, only access tokens are DPoP bound because, following the specification, refresh tokens are already sender-constrained by the associated authentication requirement.
 unsavedChangesConfirm=You have unsaved changes. Do you really want to leave the page?
 disabledOff=Disabled off
 membershipLdapAttributeHelp=Name of LDAP attribute on group, which is used for membership mappings. Usually it will be 'member'. However when 'Membership Attribute Type' is 'UID', then 'Membership LDAP Attribute' could be typically 'memberUid'.
--- a/js/apps/admin-ui/src/clients/add/CapabilityConfig.tsx
+++ b/js/apps/admin-ui/src/clients/add/CapabilityConfig.tsx
@ -352,6 +352,16 @@ export const CapabilityConfig = ({
              { key: "plain", value: "plain" },
            ]}
          />
+          {isFeatureEnabled(Feature.DPoP) && (
+            <DefaultSwitchControl
+              name={convertAttributeNameToForm<FormFields>(
+                "attributes.dpop.bound.access.tokens",
+              )}
+              label={t("oAuthDPoP")}
+              labelIcon={t("oAuthDPoPHelp")}
+              stringify
+            />
+          )}
        </>
      )}
      {protocol === "saml" && (
--- a/js/apps/admin-ui/src/clients/advanced/AdvancedSettings.tsx
+++ b/js/apps/admin-ui/src/clients/advanced/AdvancedSettings.tsx
@ -9,7 +9,6 @@ import { MultiLineInput } from "../../components/multi-line-input/MultiLineInput
 import { TimeSelector } from "../../components/time-selector/TimeSelector";
 import { useRealm } from "../../context/realm-context/RealmContext";
 import { convertAttributeNameToForm } from "../../util";
-import useIsFeatureEnabled, { Feature } from "../../utils/useIsFeatureEnabled";
 import { FormFields } from "../ClientDetails";
 import { TokenLifespan } from "./TokenLifespan";

@ -30,9 +29,6 @@ export const AdvancedSettings = ({

  const { realmRepresentation: realm } = useRealm();

-  const isFeatureEnabled = useIsFeatureEnabled();
-  const isDPoPEnabled = isFeatureEnabled(Feature.DPoP);
-
  const { control } = useFormContext();
  return (
    <FormAccess
@ -124,16 +120,6 @@ export const AdvancedSettings = ({
            labelIcon={t("oAuthMutualHelp")}
            stringify
          />
-          {isDPoPEnabled && (
-            <DefaultSwitchControl
-              name={convertAttributeNameToForm<FormFields>(
-                "attributes.dpop.bound.access.tokens",
-              )}
-              label={t("oAuthDPoP")}
-              labelIcon={t("oAuthDPoPHelp")}
-              stringify
-            />
-          )}
          <DefaultSwitchControl
            name={convertAttributeNameToForm<FormFields>(
              "attributes.require.pushed.authorization.requests",