NonceValidationFailure Enum
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.Nonces
NonceValidationFailure Enum
Reasons a server-issued nonce can fail validation. The categories are for
log filters and metrics — at the protocol layer DPoP-Nonce flows surface
every failure as the same RFC 9449 §8 use_dpop_nonce error with a
freshly issued nonce in the response header, regardless of the underlying
reason.
public enum NonceValidationFailure
Fields
Malformed 0
The nonce string could not be Base64Url-decoded or has the wrong byte
length to be one of ours. Often a sign of a client mis-handling the
DPoP-Nonce header (truncation, extra whitespace) or of an
attacker probing the endpoint.
OutOfWindow 1
The nonce decoded cleanly but its embedded timestamp is outside the
configured acceptance window — either older than
AcceptanceWindow or too far in the future relative to server
clock. Routine for clients that cached a nonce too long.
BadSignature 2
The HMAC tag does not match what the server would compute for the
embedded timestamp under any in-rotation secret. Indicates either
tampering, a nonce minted by a different deployment, or a brief
rotation race window where the issuing instance's secret has not yet
propagated through IDistributedCache.