Early Preview
This is currently very much a preview. Please feel free to try things out,
but don't be upset if anything is not yet working. Feedback is welcome over on our
GitHub Dicussions page.
interface Duende.IdentityServer.Validation.IDPoPProofValidator
Assembly: Duende.IdentityServer
Validates Demonstrating Proof of Possession (DPoP) proof tokens submitted to IdentityServer.
Remarks
DPoP (RFC 9449) binds access tokens to a client's asymmetric key pair, preventing token
replay by a different party. IdentityServer invokes this validator at the token endpoint
when a client submits a <c>DPoP</c> header, and at the userinfo/introspection endpoints
when a DPoP-bound access token is presented.
<para>
A default implementation is provided. Override this interface only when custom DPoP proof
validation logic is required (e.g., stricter nonce policies or additional claim checks).
</para> <para>
The validator receives a <see cref="T:Duende.IdentityServer.Validation.DPoPProofValidationContext" /> describing the HTTP method,
URL, proof token string, and optionally the access token to bind against. It returns a
<see cref="T:Duende.IdentityServer.Validation.DPoPProofValidationResult" /> containing the extracted JWK, thumbprint, and
confirmation value, or error details if validation failed.
</para> <para>
Register a custom implementation using <c>AddDPoPProofValidator<T>()</c> on the
IdentityServer builder.
</para>
Methods
ValidateAsync(DPoPProofValidationContext context,
System.Threading.CancellationToken ct)
Validates a DPoP proof token for the current request.
Returns A <see cref="T:Duende.IdentityServer.Validation.DPoPProofValidationResult" /> that indicates success or failure. On success,
the result contains the extracted JWK, thumbprint, confirmation value, and payload claims.
On failure, <c>IsError</c> is <c>true</c> and <c>Error</c> / <c>ErrorDescription</c> are set.
context
The validation context, containing the proof token string, the HTTP method and URL to
validate, expiration settings, and optionally the access token to bind against.
ct
The cancellation token.