MtlsUserInfoValidator Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.UserInfo.Validation
MtlsUserInfoValidator Class
Resource-server-side enforcement of RFC 8705 §3 mutual-TLS certificate-bound access tokens
at the UserInfo endpoint. Mirrors the role of DPoPUserInfoValidator for the
cnf.x5t#S256 binding: when the access token is certificate-bound, the SHA-256
thumbprint of the certificate presented on the mutual-TLS connection MUST match the bound
value, otherwise the request is rejected with invalid_token (HTTP 401, per RFC 6750).
public class MtlsUserInfoValidator : Abblix.Oidc.Server.Endpoints.UserInfo.Interfaces.IMtlsUserInfoValidator
Inheritance System.Object → MtlsUserInfoValidator
Implements IMtlsUserInfoValidator
Methods
MtlsUserInfoValidator.Validate(ClientRequest, JsonWebToken) Method
Returns null when the binding holds (or the token is not certificate-bound),
and an OidcError with invalid_token when the token is bound but
the presented certificate is absent or its thumbprint does not match
cnf.x5t#S256 (RFC 8705 §3 — HTTP 401, per RFC 6750).
public Abblix.Oidc.Server.Common.OidcError? Validate(Abblix.Oidc.Server.Model.ClientRequest clientRequest, Abblix.Jwt.JsonWebToken accessToken);
Parameters
clientRequest ClientRequest
Carries the client certificate presented on the mutual-TLS connection (when any).
accessToken JsonWebToken
The parsed access-token JWT whose cnf.x5t#S256
(when present) the presented certificate must match.
Implements Validate(ClientRequest, JsonWebToken)