TsgcHTTP_OAuth2_Client › Events › OnDPoPSign
Fires when a DPoP proof needs to be signed, allowing the application to override the default signing implementation.
property OnDPoPSign: TsgcOnDPoPSignEvent;
// TsgcOnDPoPSignEvent = procedure(Sender: TObject; const SigningInput, Algorithm: String; var Signature: String; var Handled: Boolean) of object—
OnDPoPSign is raised every time the component has to build a DPoP proof JWT (RFC 9449) for an outgoing request to the token endpoint or to a protected resource. SigningInput is the already-serialized "header.payload" string that must be signed, and Algorithm is the JWS alg (ES256, RS256, PS256, EdDSA, etc.) declared in the proof header. The handler must place the raw signature bytes, base64url-encoded without padding, into the Signature var parameter and set Handled to True; when Handled is left False the component falls back to its built-in signer using the private key stored in DPoP options. Typical use cases are delegating the signature to a hardware token, an HSM, or an external PKCS#11 module while keeping the private key outside the process.
procedure OnOAuth2DPoPSign(Sender: TObject; const SigningInput, Algorithm: string;
var Signature: string; var Handled: Boolean);
begin
// delegate the DPoP signature to an external HSM / smart card
Signature := HSMSignToBase64Url(SigningInput, Algorithm);
Handled := True;
end;