Skip to main content

MtlsUserInfoValidator Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.UserInfo.Validation

MtlsUserInfoValidator Class

Resource-server-side enforcement of RFC 8705 §3 mutual-TLS certificate-bound access tokens at the UserInfo endpoint. Mirrors the role of DPoPUserInfoValidator for the cnf.x5t#S256 binding: when the access token is certificate-bound, the SHA-256 thumbprint of the certificate presented on the mutual-TLS connection MUST match the bound value, otherwise the request is rejected with invalid_token (HTTP 401, per RFC 6750).

public class MtlsUserInfoValidator : Abblix.Oidc.Server.Endpoints.UserInfo.Interfaces.IMtlsUserInfoValidator

Inheritance System.Object → MtlsUserInfoValidator

Implements IMtlsUserInfoValidator

Methods

MtlsUserInfoValidator.Validate(ClientRequest, JsonWebToken) Method

Returns null when the binding holds (or the token is not certificate-bound), and an OidcError with invalid_token when the token is bound but the presented certificate is absent or its thumbprint does not match cnf.x5t#S256 (RFC 8705 §3 — HTTP 401, per RFC 6750).

public Abblix.Oidc.Server.Common.OidcError? Validate(Abblix.Oidc.Server.Model.ClientRequest clientRequest, Abblix.Jwt.JsonWebToken accessToken);

Parameters

clientRequest ClientRequest

Carries the client certificate presented on the mutual-TLS connection (when any).

accessToken JsonWebToken

The parsed access-token JWT whose cnf.x5t#S256 (when present) the presented certificate must match.

Implements Validate(ClientRequest, JsonWebToken)

Returns

OidcError