ProofKeyThumbprintValidator Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.Authorization.Validation
ProofKeyThumbprintValidator Class
Syntactic validator for the RFC 9449 §10 dpop_jkt authorization-request
parameter: surfaces malformed thumbprints at the authorize / PAR endpoint with
invalid_request instead of letting them slip through to /token where they
would surface only as invalid_dpop_proof on the live-proof comparison —
fail-fast at the binding-time endpoint.
public class ProofKeyThumbprintValidator : Abblix.Oidc.Server.Endpoints.Authorization.Validation.SyncAuthorizationContextValidatorBase
Inheritance System.Object → SyncAuthorizationContextValidatorBase → ProofKeyThumbprintValidator
Remarks
Accepts exactly 43 base64url characters (no padding) — the unique encoded length
of an RFC 7638 SHA-256 JWK thumbprint, the only digest algorithm DPoP uses
(RFC 9449 §6.1). Rejects any other length or non-base64url character.
The parameter is optional; missing values pass through (clients that do not
pre-bind don't pay the cost). The actual thumbprint comparison against a
presented proof happens at the token endpoint inside
DPoPTokenEndpointValidator; this step only enforces wire-format validity.