IDPoPUserInfoValidator Interface
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.UserInfo.Interfaces
IDPoPUserInfoValidator Interface
Validates the DPoP-binding contract on a UserInfo request per RFC 9449 §7.1: when the
inbound access token is DPoP-bound (carries cnf.jkt), the request MUST present
Authorization: DPoP <token> together with a valid DPoP header
proof whose key thumbprint matches the access token's cnf.jkt and whose
ath claim equals Base64Url(SHA-256(access_token)). Unbound (Bearer)
access tokens passed via the Bearer scheme bypass the check.
public interface IDPoPUserInfoValidator
Derived
↳ DPoPUserInfoValidator
Methods
IDPoPUserInfoValidator.ValidateAsync(ClientRequest, JsonWebToken, string) Method
Returns null on success, an OidcError describing the binding
failure otherwise. The typed subclasses InvalidDPoPProofError and
UseDPoPNonceError let the response formatter pattern-match for the
RFC 9449 §7.1 WWW-Authenticate: DPoP challenge or the §8 nonce response
header attachment.
System.Threading.Tasks.Task<Abblix.Oidc.Server.Common.OidcError?> ValidateAsync(Abblix.Oidc.Server.Model.ClientRequest clientRequest, Abblix.Jwt.JsonWebToken accessToken, string rawAccessToken);
Parameters
clientRequest ClientRequest
Carries the Authorization scheme + token plus
the optional DPoP proof header.
accessToken JsonWebToken
The parsed access-token JWT whose cnf.jkt
(when present) the proof must match.
rawAccessToken System.String
The original on-the-wire access-token string used
to compute ath = Base64Url(SHA-256(access_token)).