TsgcHTTP_OAuth2_Client › Properties › DPoPOptions
DPoP (Demonstrating Proof-of-Possession, RFC 9449) key material and signing options attached to token requests and protected resource calls.
property DPoPOptions: TsgcHTTPOAuth2_DPoP_Options read FDPoPOptions write SetDPoPOptions;Enabled=False, Algorithm=dpopES256, PrivateKey empty, PublicKeyJWK empty.
When Enabled is True, the client builds a DPoP proof JWT on every call to the token endpoint (and on resource calls when the access token is bound to the key), adds it as the DPoP HTTP header, and automatically handles the DPoP-Nonce challenge returned by the authorization server.
True to bind access tokens to the client's public key (OAuth 2.1 / RFC 9449). Default False.dpopES256 (ECDSA P-256, default) or dpopRS256 (RSA 2048+).TStringList containing the PEM-encoded private key used to sign proofs. Must match Algorithm.jwk header of each proof. The client derives the JWK thumbprint (jkt) from this value.Each DPoP proof carries the htu (HTTP target URI) and htm (HTTP method) claims of the request it protects, a fresh jti, and the server-supplied nonce when present. Failed calls returning use_dpop_nonce are retried automatically with the new nonce.
oOAuth2.DPoPOptions.Enabled := True;
oOAuth2.DPoPOptions.Algorithm := dpopES256;
oOAuth2.DPoPOptions.PrivateKey.LoadFromFile('dpop_ec_private.pem');
oOAuth2.DPoPOptions.PublicKeyJWK := '{"kty":"EC","crv":"P-256","x":"...","y":"..."}';