DPoPTokenEndpointValidator Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.Token.Validation
DPoPTokenEndpointValidator Class
Token-endpoint enforcement of RFC 9449 DPoP: validates the proof JWT carried on the
inbound DPoP header against the request's method+URI, runs the layered
nonce-policy if the deployment requires it, and stashes the proof's JWK thumbprint on
the validation context so the processor can bind cnf.jkt onto the issued access
token.
public class DPoPTokenEndpointValidator : Abblix.Oidc.Server.Features.DPoP.DPoPNonceValidator, Abblix.Oidc.Server.Endpoints.Token.Validation.ITokenContextValidator
Inheritance System.Object → DPoPNonceValidator → DPoPTokenEndpointValidator
Implements ITokenContextValidator
Remarks
Sits AFTER ClientValidator in the composite — that ordering is
load-bearing because this step reads ClientInfo
to decide whether DPoP is mandatory (RequireDPoP)
or opportunistic. When the client opts in but the proof is missing, the request is
rejected with invalid_dpop_proof; when the client does not opt in, a missing
proof is silently accepted (Bearer token issued downstream) and a present-and-valid
proof still binds the token (RFC 9449 §5.2 server-side opportunistic binding).
Constructors
DPoPTokenEndpointValidator(ILogger<DPoPTokenEndpointValidator>, IProofValidator, INonceService, IOptionsMonitor<OidcOptions>) Constructor
Token-endpoint enforcement of RFC 9449 DPoP: validates the proof JWT carried on the
inbound DPoP header against the request's method+URI, runs the layered
nonce-policy if the deployment requires it, and stashes the proof's JWK thumbprint on
the validation context so the processor can bind cnf.jkt onto the issued access
token.
public DPoPTokenEndpointValidator(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Endpoints.Token.Validation.DPoPTokenEndpointValidator> logger, Abblix.Oidc.Server.Features.DPoP.IProofValidator proofValidator, Abblix.Oidc.Server.Features.Nonces.INonceService nonceService, Microsoft.Extensions.Options.IOptionsMonitor<Abblix.Oidc.Server.Common.Configuration.OidcOptions> options);
Parameters
logger Microsoft.Extensions.Logging.ILogger<DPoPTokenEndpointValidator>
proofValidator IProofValidator
nonceService INonceService
options Microsoft.Extensions.Options.IOptionsMonitor<OidcOptions>
Remarks
Sits AFTER ClientValidator in the composite — that ordering is
load-bearing because this step reads ClientInfo
to decide whether DPoP is mandatory (RequireDPoP)
or opportunistic. When the client opts in but the proof is missing, the request is
rejected with invalid_dpop_proof; when the client does not opt in, a missing
proof is silently accepted (Bearer token issued downstream) and a present-and-valid
proof still binds the token (RFC 9449 §5.2 server-side opportunistic binding).
Methods
DPoPTokenEndpointValidator.ValidateAsync(TokenValidationContext) Method
Asynchronously validates the token request within the provided context, checking for compliance with the necessary validation rules such as client authentication, scope validation, grant validation, etc.
public System.Threading.Tasks.Task<Abblix.Oidc.Server.Common.OidcError?> ValidateAsync(Abblix.Oidc.Server.Endpoints.Token.Validation.TokenValidationContext context);
Parameters
context TokenValidationContext
The context containing the token request and related information that needs to be validated.
Implements ValidateAsync(TokenValidationContext)
Returns
System.Threading.Tasks.Task<OidcError>
A OidcError containing error details if the validation fails;
otherwise, returns null indicating that the validation was successful.