Skip to main content

Proof Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.DPoP

Proof Class

The product of a successfully validated DPoP proof: the parsed JWT (so callers can read claims the validator does not consume itself, e.g. nonce), the public-only JWK extracted from the proof's jwk header, its base64url-encoded RFC 7638 JWK Thumbprint (the value that goes into cnf.jkt on the issued access token and matches against dpop_jkt), the proof-unique jti for downstream replay protection, and the iat the proof claims to have been signed at.

public sealed record Proof : System.IEquatable<Abblix.Oidc.Server.Features.DPoP.Proof>

Inheritance System.Object → Proof

Implements System.IEquatable<Proof>

Constructors

Proof(JsonWebToken, JsonWebKey, string, string, DateTimeOffset) Constructor

The product of a successfully validated DPoP proof: the parsed JWT (so callers can read claims the validator does not consume itself, e.g. nonce), the public-only JWK extracted from the proof's jwk header, its base64url-encoded RFC 7638 JWK Thumbprint (the value that goes into cnf.jkt on the issued access token and matches against dpop_jkt), the proof-unique jti for downstream replay protection, and the iat the proof claims to have been signed at.

public Proof(Abblix.Jwt.JsonWebToken Token, Abblix.Jwt.JsonWebKey ProofKey, string ProofKeyThumbprint, string JwtId, System.DateTimeOffset IssuedAt);

Parameters

Token JsonWebToken

The parsed proof JWT. The validator already produced this object internally; carrying it through saves callers a re-parse when they need claims outside the validator's contract (notably DPoP-Nonce checks layered on top).

ProofKey JsonWebKey

The public-only JWK from the proof header.

ProofKeyThumbprint System.String

RFC 7638 base64url-encoded JWK Thumbprint of ProofKey. This is the value that goes into cnf.jkt on the issued access token (RFC 9449 §6.1) — the role-name «proof key thumbprint» reflects the protocol-level meaning, while the wire-level cnf-member retains the RFC's jkt spelling.

JwtId System.String

The jti claim of the proof. The validator does not check it against any cache; the layered replay-cache slice consumes this value.

IssuedAt System.DateTimeOffset

The iat claim of the proof, parsed from the JWT numeric-date.

Properties

Proof.IssuedAt Property

The iat claim of the proof, parsed from the JWT numeric-date.

public System.DateTimeOffset IssuedAt { get; init; }

Property Value

System.DateTimeOffset

Proof.JwtId Property

The jti claim of the proof. The validator does not check it against any cache; the layered replay-cache slice consumes this value.

public string JwtId { get; init; }

Property Value

System.String

Proof.ProofKey Property

The public-only JWK from the proof header.

public Abblix.Jwt.JsonWebKey ProofKey { get; init; }

Property Value

JsonWebKey

Proof.ProofKeyThumbprint Property

RFC 7638 base64url-encoded JWK Thumbprint of ProofKey. This is the value that goes into cnf.jkt on the issued access token (RFC 9449 §6.1) — the role-name «proof key thumbprint» reflects the protocol-level meaning, while the wire-level cnf-member retains the RFC's jkt spelling.

public string ProofKeyThumbprint { get; init; }

Property Value

System.String

Proof.Token Property

The parsed proof JWT. The validator already produced this object internally; carrying it through saves callers a re-parse when they need claims outside the validator's contract (notably DPoP-Nonce checks layered on top).

public Abblix.Jwt.JsonWebToken Token { get; init; }

Property Value

JsonWebToken