Skip to main content

IDPoPUserInfoValidator Interface

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.UserInfo.Interfaces

IDPoPUserInfoValidator Interface

Validates the DPoP-binding contract on a UserInfo request per RFC 9449 §7.1: when the inbound access token is DPoP-bound (carries cnf.jkt), the request MUST present Authorization: DPoP <token> together with a valid DPoP header proof whose key thumbprint matches the access token's cnf.jkt and whose ath claim equals Base64Url(SHA-256(access_token)). Unbound (Bearer) access tokens passed via the Bearer scheme bypass the check.

public interface IDPoPUserInfoValidator

Derived
DPoPUserInfoValidator

Methods

IDPoPUserInfoValidator.ValidateAsync(ClientRequest, JsonWebToken, string) Method

Returns null on success, an OidcError describing the binding failure otherwise. The typed subclasses InvalidDPoPProofError and UseDPoPNonceError let the response formatter pattern-match for the RFC 9449 §7.1 WWW-Authenticate: DPoP challenge or the §8 nonce response header attachment.

System.Threading.Tasks.Task<Abblix.Oidc.Server.Common.OidcError?> ValidateAsync(Abblix.Oidc.Server.Model.ClientRequest clientRequest, Abblix.Jwt.JsonWebToken accessToken, string rawAccessToken);

Parameters

clientRequest ClientRequest

Carries the Authorization scheme + token plus the optional DPoP proof header.

accessToken JsonWebToken

The parsed access-token JWT whose cnf.jkt (when present) the proof must match.

rawAccessToken System.String

The original on-the-wire access-token string used to compute ath = Base64Url(SHA-256(access_token)).

Returns

System.Threading.Tasks.Task<OidcError>