TsgcHTTP_OAuth2_Server › Events › OnOAuth2ValidateDPoP
Fires when a resource request carries a DPoP proof header so the application can verify the proof-of-possession (RFC 9449).
property OnOAuth2ValidateDPoP: TsgcHTTPOAuth2ValidateDPoPEvent;
// TsgcHTTPOAuth2ValidateDPoPEvent = procedure(Sender: TObject; Connection: TsgcWSConnection; const DPoPProof, AccessToken: String; var IsValid: Boolean) of object—
OnOAuth2ValidateDPoP is raised when a resource request includes a DPoP header and OAuth2Options.DPoP is enabled (RFC 9449). The event lets the application perform the full proof validation: verify the JWS signature of DPoPProof using its embedded jwk, check that the public key thumbprint (jkt claim) matches the cnf.jkt of the sender-constrained AccessToken, and validate the standard claims (htm must match the HTTP method, htu must match the request URL, iat must be recent, and ath must be the base64url SHA-256 of AccessToken). Set IsValid to True only when every check passes; otherwise the server rejects the request with an invalid_dpop_proof error.
procedure OnOAuth2ValidateDPoP(Sender: TObject; Connection: TsgcWSConnection;
const DPoPProof, AccessToken: string; var IsValid: Boolean);
begin
// custom DPoP proof validation: signature + jkt binding + htm/htu/iat/ath
IsValid := VerifyDPoPProof(DPoPProof, AccessToken,
Connection.Request.Method, Connection.Request.URL);
end;