Skip to main content

ProofKeyThumbprintValidator Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Authorization.Validation

ProofKeyThumbprintValidator Class

Syntactic validator for the RFC 9449 §10 dpop_jkt authorization-request parameter: surfaces malformed thumbprints at the authorize / PAR endpoint with invalid_request instead of letting them slip through to /token where they would surface only as invalid_dpop_proof on the live-proof comparison — fail-fast at the binding-time endpoint.

public class ProofKeyThumbprintValidator : Abblix.Oidc.Server.Endpoints.Authorization.Validation.SyncAuthorizationContextValidatorBase

Inheritance System.ObjectSyncAuthorizationContextValidatorBase → ProofKeyThumbprintValidator

Remarks

Accepts exactly 43 base64url characters (no padding) — the unique encoded length of an RFC 7638 SHA-256 JWK thumbprint, the only digest algorithm DPoP uses (RFC 9449 §6.1). Rejects any other length or non-base64url character. The parameter is optional; missing values pass through (clients that do not pre-bind don't pay the cost). The actual thumbprint comparison against a presented proof happens at the token endpoint inside DPoPTokenEndpointValidator; this step only enforces wire-format validity.