| IDPoPUserInfoValidator | Validates the DPoP-binding contract on a UserInfo request per RFC 9449 §7.1: when the inbound access token is DPoP-bound (carries cnf.jkt), the request MUST present Authorization: DPoP <token> together with a valid DPoP header proof whose key thumbprint matches the access token's cnf.jkt and whose ath claim equals Base64Url(SHA-256(access_token)). Unbound (Bearer) access tokens passed via the Bearer scheme bypass the check. |
| IMtlsUserInfoValidator | Validates the mutual-TLS certificate-binding contract on a UserInfo request per RFC 8705 §3: when the inbound access token is certificate-bound (carries cnf.x5t#S256), the protected resource MUST obtain the client certificate used for mutual TLS and verify that its SHA-256 thumbprint matches the bound value, rejecting the request otherwise. Unbound access tokens bypass the check. Sibling of IDPoPUserInfoValidator: the two proof-of-possession mechanisms (DPoP cnf.jkt and mTLS cnf.x5t#S256) are independent and a token carrying both must satisfy each. |
| IUserInfoHandler | Endpoint contract for the OpenID Connect UserInfo endpoint (OIDC Core 1.0 §5.3), which returns claims about the authenticated end-user identified by the bearer access token presented per RFC 6750. |
| IUserInfoRequestProcessor | Generates a response containing information about a user account. |
| IUserInfoRequestValidator | Parses and validates an access token provided in a user info request. |