| DPoPAlgorithms | Single source of truth for the DPoP signing-algorithm whitelist (RFC 9449 §4.2, §7.1). Both the proof-validator's enforcement (it rejects proofs whose alg header sits outside this set) and the resource-server's `WWW-Authenticate: DPoP |
| algs="..."` challenge advertisement read from here, so adding a new algorithm (e.g. EdDSA when the JWS layer gains support) propagates everywhere automatically. | |
| DPoPNonceValidator | Base class for DPoP-aware endpoint validators that enforce the RFC 9449 §8 nonce challenge-response loop. Encapsulates the proof-claim check, fresh-nonce issuance, and UseDPoPNonceError shaping; concrete validators override Abblix.Oidc.Server.Features.DPoP.DPoPNonceValidator.LogNonceChallengeIssued to attribute the «challenge issued» event to their own endpoint EventId. |
| Proof | The product of a successfully validated DPoP proof: the parsed JWT (so callers can read claims the validator does not consume itself, e.g. nonce), the public-only JWK extracted from the proof's jwk header, its base64url-encoded RFC 7638 JWK Thumbprint (the value that goes into cnf.jkt on the issued access token and matches against dpop_jkt), the proof-unique jti for downstream replay protection, and the iat the proof claims to have been signed at. |
| ProofError | Describes why a DPoP proof was rejected. Reason is a stable token suitable for log filters and metric labels; Detail is a human-readable hint that MUST NOT contain attacker-controllable input verbatim, since this string can surface in error responses and operator dashboards. |
| ProofErrorReasons | Stable, machine-friendly reason tokens that Abblix.Oidc.Server.Features.DPoP.ProofValidator assigns to Reason for log filters and metric labels. These are the internal fine-grained failure categories; the OAuth-protocol-level error code surfaced to clients is always invalid_dpop_proof (or use_dpop_nonce for the nonce-required path) regardless of which of these matched. |