IMtlsUserInfoValidator Interface
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.UserInfo.Interfaces
IMtlsUserInfoValidator Interface
Validates the mutual-TLS certificate-binding contract on a UserInfo request per
RFC 8705 §3: when the inbound access token is certificate-bound (carries
cnf.x5t#S256), the protected resource MUST obtain the client certificate used for
mutual TLS and verify that its SHA-256 thumbprint matches the bound value, rejecting the
request otherwise. Unbound access tokens bypass the check. Sibling of
IDPoPUserInfoValidator: the two proof-of-possession mechanisms (DPoP
cnf.jkt and mTLS cnf.x5t#S256) are independent and a token carrying both
must satisfy each.
public interface IMtlsUserInfoValidator
Derived
↳ MtlsUserInfoValidator
Methods
IMtlsUserInfoValidator.Validate(ClientRequest, JsonWebToken) Method
Returns null when the binding holds (or the token is not certificate-bound),
and an OidcError with invalid_token when the token is bound but
the presented certificate is absent or its thumbprint does not match
cnf.x5t#S256 (RFC 8705 §3 — HTTP 401, per RFC 6750).
Abblix.Oidc.Server.Common.OidcError? Validate(Abblix.Oidc.Server.Model.ClientRequest clientRequest, Abblix.Jwt.JsonWebToken accessToken);
Parameters
clientRequest ClientRequest
Carries the client certificate presented on the mutual-TLS connection (when any).
accessToken JsonWebToken
The parsed access-token JWT whose cnf.x5t#S256
(when present) the presented certificate must match.