Skip to main content

DPoPTokenEndpointValidator Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Token.Validation

DPoPTokenEndpointValidator Class

Token-endpoint enforcement of RFC 9449 DPoP: validates the proof JWT carried on the inbound DPoP header against the request's method+URI, runs the layered nonce-policy if the deployment requires it, and stashes the proof's JWK thumbprint on the validation context so the processor can bind cnf.jkt onto the issued access token.

public class DPoPTokenEndpointValidator : Abblix.Oidc.Server.Features.DPoP.DPoPNonceValidator, Abblix.Oidc.Server.Endpoints.Token.Validation.ITokenContextValidator

Inheritance System.ObjectDPoPNonceValidator → DPoPTokenEndpointValidator

Implements ITokenContextValidator

Remarks

Sits AFTER ClientValidator in the composite — that ordering is load-bearing because this step reads ClientInfo to decide whether DPoP is mandatory (RequireDPoP) or opportunistic. When the client opts in but the proof is missing, the request is rejected with invalid_dpop_proof; when the client does not opt in, a missing proof is silently accepted (Bearer token issued downstream) and a present-and-valid proof still binds the token (RFC 9449 §5.2 server-side opportunistic binding).

Constructors

DPoPTokenEndpointValidator(ILogger<DPoPTokenEndpointValidator>, IProofValidator, INonceService, IOptionsMonitor<OidcOptions>) Constructor

Token-endpoint enforcement of RFC 9449 DPoP: validates the proof JWT carried on the inbound DPoP header against the request's method+URI, runs the layered nonce-policy if the deployment requires it, and stashes the proof's JWK thumbprint on the validation context so the processor can bind cnf.jkt onto the issued access token.

public DPoPTokenEndpointValidator(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Endpoints.Token.Validation.DPoPTokenEndpointValidator> logger, Abblix.Oidc.Server.Features.DPoP.IProofValidator proofValidator, Abblix.Oidc.Server.Features.Nonces.INonceService nonceService, Microsoft.Extensions.Options.IOptionsMonitor<Abblix.Oidc.Server.Common.Configuration.OidcOptions> options);

Parameters

logger Microsoft.Extensions.Logging.ILogger<DPoPTokenEndpointValidator>
proofValidator IProofValidator
nonceService INonceService
options Microsoft.Extensions.Options.IOptionsMonitor<OidcOptions>

Remarks

Sits AFTER ClientValidator in the composite — that ordering is load-bearing because this step reads ClientInfo to decide whether DPoP is mandatory (RequireDPoP) or opportunistic. When the client opts in but the proof is missing, the request is rejected with invalid_dpop_proof; when the client does not opt in, a missing proof is silently accepted (Bearer token issued downstream) and a present-and-valid proof still binds the token (RFC 9449 §5.2 server-side opportunistic binding).

Methods

DPoPTokenEndpointValidator.ValidateAsync(TokenValidationContext) Method

Asynchronously validates the token request within the provided context, checking for compliance with the necessary validation rules such as client authentication, scope validation, grant validation, etc.

public System.Threading.Tasks.Task<Abblix.Oidc.Server.Common.OidcError?> ValidateAsync(Abblix.Oidc.Server.Endpoints.Token.Validation.TokenValidationContext context);

Parameters

context TokenValidationContext

The context containing the token request and related information that needs to be validated.

Implements ValidateAsync(TokenValidationContext)

Returns

System.Threading.Tasks.Task<OidcError>
A OidcError containing error details if the validation fails; otherwise, returns null indicating that the validation was successful.