Skip to main content

IMtlsUserInfoValidator Interface

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.UserInfo.Interfaces

IMtlsUserInfoValidator Interface

Validates the mutual-TLS certificate-binding contract on a UserInfo request per RFC 8705 §3: when the inbound access token is certificate-bound (carries cnf.x5t#S256), the protected resource MUST obtain the client certificate used for mutual TLS and verify that its SHA-256 thumbprint matches the bound value, rejecting the request otherwise. Unbound access tokens bypass the check. Sibling of IDPoPUserInfoValidator: the two proof-of-possession mechanisms (DPoP cnf.jkt and mTLS cnf.x5t#S256) are independent and a token carrying both must satisfy each.

public interface IMtlsUserInfoValidator

Derived
MtlsUserInfoValidator

Methods

IMtlsUserInfoValidator.Validate(ClientRequest, JsonWebToken) Method

Returns null when the binding holds (or the token is not certificate-bound), and an OidcError with invalid_token when the token is bound but the presented certificate is absent or its thumbprint does not match cnf.x5t#S256 (RFC 8705 §3 — HTTP 401, per RFC 6750).

Abblix.Oidc.Server.Common.OidcError? Validate(Abblix.Oidc.Server.Model.ClientRequest clientRequest, Abblix.Jwt.JsonWebToken accessToken);

Parameters

clientRequest ClientRequest

Carries the client certificate presented on the mutual-TLS connection (when any).

accessToken JsonWebToken

The parsed access-token JWT whose cnf.x5t#S256 (when present) the presented certificate must match.

Returns

OidcError