fix: make sure retry happens on nonce error for authcode flow; use common dpop handler across authcode, gettokenset, getconnnectiontokenset; refactor withDPoPNonceRetry

Author: tusharpandey13

src/server/auth-client.ts

@@ -246,6 +246,7 @@ export class AuthClient {
 
   private dpopKeyPair?: DpopKeyPair;
   private readonly useDPoP: boolean;
+  private defaultDPoPHandle?: ReturnType<typeof oauth.DPoP>;
 
   constructor(options: AuthClientOptions) {
     // dependencies
@@ -366,6 +367,12 @@ export class AuthClient {
     // Initialize DPoP if enabled. Check useDPoP flag first to avoid timing attacks.
     if ((options.useDPoP ?? false) && options.dpopKeyPair) {
       this.dpopKeyPair = options.dpopKeyPair;
+      // Create DPoP handle once for reuse across all token grant operations
+      // oauth4webapi automatically learns nonces from error responses
+      this.defaultDPoPHandle = oauth.DPoP(
+        this.clientMetadata,
+        options.dpopKeyPair
+      );
     }
   }
 
@@ -772,14 +779,17 @@ export class AuthClient {
             ...this.httpOptions(),
             [oauth.customFetch]: this.fetch,
             [oauth.allowInsecureRequests]: this.allowInsecureRequests,
-            ...(this.useDPoP &&
-              this.dpopKeyPair && {
-                DPoP: oauth.DPoP(this.clientMetadata, this.dpopKeyPair!)
-              })
+            ...(this.defaultDPoPHandle && { DPoP: this.defaultDPoPHandle })
           }
         );
 
-      codeGrantResponse = await authorizationCodeGrantRequestCall();
+      codeGrantResponse = await withDPoPNonceRetry(
+        authorizationCodeGrantRequestCall,
+        {
+          isDPoPEnabled: !!(this.useDPoP && this.dpopKeyPair),
+          ...this.dpopOptions?.retry
+        }
+      );
     } catch (e: any) {
       return this.handleCallbackError(
         new AuthorizationCodeGrantRequestError(e.message),
@@ -791,8 +801,9 @@ export class AuthClient {
     let oidcRes: oauth.TokenEndpointResponse;
     try {
       // Process the authorization code response
-      // For authorization code flows, oauth4webapi handles DPoP nonce management internally
-      // No need for manual retry since authorization codes are single-use
+      // When DPoP is enabled, the nonce retry logic is handled above in the
+      // authorizationCodeGrantRequestCall, so codeGrantResponse is guaranteed
+      // to have been obtained with proper nonce handling if needed
       oidcRes = await oauth.processAuthorizationCodeResponse(
         authorizationServerMetadata,
         this.clientMetadata,
@@ -1213,10 +1224,7 @@ export class AuthClient {
               [oauth.customFetch]: this.fetch,
               [oauth.allowInsecureRequests]: this.allowInsecureRequests,
               additionalParameters,
-              ...(this.useDPoP &&
-                this.dpopKeyPair && {
-                  DPoP: oauth.DPoP(this.clientMetadata, this.dpopKeyPair!)
-                })
+              ...(this.defaultDPoPHandle && { DPoP: this.defaultDPoPHandle })
             }
           );
 
@@ -1229,10 +1237,16 @@ export class AuthClient {
 
         let oauthRes: oauth.TokenEndpointResponse;
         try {
-          oauthRes = await withDPoPNonceRetry(async () => {
-            const refreshTokenRes = await refreshTokenGrantRequestCall();
-            return await processRefreshTokenResponseCall(refreshTokenRes);
-          }, this.dpopOptions?.retry);
+          oauthRes = await withDPoPNonceRetry(
+            async () => {
+              const refreshTokenRes = await refreshTokenGrantRequestCall();
+              return await processRefreshTokenResponseCall(refreshTokenRes);
+            },
+            {
+              isDPoPEnabled: !!(this.useDPoP && this.dpopKeyPair),
+              ...this.dpopOptions?.retry
+            }
+          );
         } catch (e: any) {
           return [
             new AccessTokenError(
@@ -1755,26 +1769,28 @@ export class AuthClient {
           {
             [oauth.customFetch]: this.fetch,
             [oauth.allowInsecureRequests]: this.allowInsecureRequests,
-            ...(this.useDPoP &&
-              this.dpopKeyPair && {
-                DPoP: oauth.DPoP(this.clientMetadata, this.dpopKeyPair!)
-              })
+            ...(this.defaultDPoPHandle && { DPoP: this.defaultDPoPHandle })
           }
         );
 
-      const processGenericTokenEndpointResponseCall = (response: Response) =>
-        oauth.processGenericTokenEndpointResponse(
+      const processGenericTokenEndpointResponseCall = async () => {
+        const httpResponse = await genericTokenEndpointRequestCall();
+        return oauth.processGenericTokenEndpointResponse(
           authorizationServerMetadata,
           this.clientMetadata,
-          response
+          httpResponse
         );
+      };
 
       let tokenEndpointResponse: oauth.TokenEndpointResponse;
       try {
-        tokenEndpointResponse = await withDPoPNonceRetry(async () => {
-          const httpResponse = await genericTokenEndpointRequestCall();
-          return await processGenericTokenEndpointResponseCall(httpResponse);
-        }, this.dpopOptions?.retry);
+        tokenEndpointResponse = await withDPoPNonceRetry(
+          processGenericTokenEndpointResponseCall,
+          {
+            isDPoPEnabled: !!(this.useDPoP && this.dpopKeyPair),
+            ...this.dpopOptions?.retry
+          }
+        );
       } catch (err: any) {
         return [
           new AccessTokenForConnectionError(