Proof Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.DPoP
Proof Class
The product of a successfully validated DPoP proof: the parsed JWT (so callers can read
claims the validator does not consume itself, e.g. nonce), the public-only JWK
extracted from the proof's jwk header, its base64url-encoded RFC 7638 JWK
Thumbprint (the value that goes into cnf.jkt on the issued access token and
matches against dpop_jkt), the proof-unique jti for downstream replay
protection, and the iat the proof claims to have been signed at.
public sealed record Proof : System.IEquatable<Abblix.Oidc.Server.Features.DPoP.Proof>
Inheritance System.Object → Proof
Implements System.IEquatable<Proof>
Constructors
Proof(JsonWebToken, JsonWebKey, string, string, DateTimeOffset) Constructor
The product of a successfully validated DPoP proof: the parsed JWT (so callers can read
claims the validator does not consume itself, e.g. nonce), the public-only JWK
extracted from the proof's jwk header, its base64url-encoded RFC 7638 JWK
Thumbprint (the value that goes into cnf.jkt on the issued access token and
matches against dpop_jkt), the proof-unique jti for downstream replay
protection, and the iat the proof claims to have been signed at.
public Proof(Abblix.Jwt.JsonWebToken Token, Abblix.Jwt.JsonWebKey ProofKey, string ProofKeyThumbprint, string JwtId, System.DateTimeOffset IssuedAt);
Parameters
Token JsonWebToken
The parsed proof JWT. The validator already produced this object internally; carrying it through saves callers a re-parse when they need claims outside the validator's contract (notably DPoP-Nonce checks layered on top).
ProofKey JsonWebKey
The public-only JWK from the proof header.
ProofKeyThumbprint System.String
RFC 7638 base64url-encoded JWK Thumbprint of
ProofKey. This is the value that goes into cnf.jkt on the issued
access token (RFC 9449 §6.1) — the role-name «proof key thumbprint» reflects the
protocol-level meaning, while the wire-level cnf-member retains the RFC's
jkt spelling.
JwtId System.String
The jti claim of the proof. The validator does not check it
against any cache; the layered replay-cache slice consumes this value.
IssuedAt System.DateTimeOffset
The iat claim of the proof, parsed from the JWT
numeric-date.
Properties
Proof.IssuedAt Property
The iat claim of the proof, parsed from the JWT
numeric-date.
public System.DateTimeOffset IssuedAt { get; init; }
Property Value
Proof.JwtId Property
The jti claim of the proof. The validator does not check it
against any cache; the layered replay-cache slice consumes this value.
public string JwtId { get; init; }
Property Value
Proof.ProofKey Property
The public-only JWK from the proof header.
public Abblix.Jwt.JsonWebKey ProofKey { get; init; }
Property Value
Proof.ProofKeyThumbprint Property
RFC 7638 base64url-encoded JWK Thumbprint of
ProofKey. This is the value that goes into cnf.jkt on the issued
access token (RFC 9449 §6.1) — the role-name «proof key thumbprint» reflects the
protocol-level meaning, while the wire-level cnf-member retains the RFC's
jkt spelling.
public string ProofKeyThumbprint { get; init; }
Property Value
Proof.Token Property
The parsed proof JWT. The validator already produced this object internally; carrying it through saves callers a re-parse when they need claims outside the validator's contract (notably DPoP-Nonce checks layered on top).
public Abblix.Jwt.JsonWebToken Token { get; init; }