validate_dpop_jwt

atproto_oauth::dpop

Function validate_dpop_jwt 

Source 
pub fn validate_dpop_jwt(
    dpop_jwt: &str,
    config: &DpopValidationConfig,
) -> Result<String>
Expand description

Validates a DPoP JWT and returns the JWK thumbprint if validation succeeds.

This function performs comprehensive validation of a DPoP JWT including:

  • JWT structure and format validation
  • Header validation (typ, alg, jwk fields)
  • Claims validation (jti, htm, htu, iat, and optionally ath and nonce)
  • Cryptographic signature verification using the embedded JWK
  • Timestamp validation with configurable tolerances
  • Nonce validation against expected values (if configured)

§Arguments

  • dpop_jwt - The DPoP JWT token as a string
  • config - Validation configuration specifying what to validate

§Returns

  • Ok(String) - The base64url-encoded SHA-256 thumbprint of the validated JWK
  • Err(anyhow::Error) - If any validation step fails

§Errors

This function will return an error if:

  • The JWT format is invalid
  • Required header fields are missing or invalid
  • Required claims are missing or invalid
  • The signature verification fails
  • Timestamp validation fails
  • HTTP method or URI don’t match expected values

§Examples

use atproto_oauth::dpop::{validate_dpop_jwt, DpopValidationConfig};

let dpop_jwt = "eyJhbGciOiJFUzI1NiIsImp3ayI6eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia2lkIjoiZGlkOmtleTp6RG5hZVpVeEFhZDJUbkRYTjFaZWprcFV4TWVvMW9mNzF6NGVackxLRFRtaEQzOEQ3Iiwia3R5IjoiRUMiLCJ1c2UiOiJzaWciLCJ4IjoiaG56dDlSSGppUDBvMFJJTEZacEdjX0phenJUb1pHUzF1d0d5R3JleUNNbyIsInkiOiJzaXJhU2FGU09md3FrYTZRdnR3aUJhM0FKUi14eEhQaWVWZkFhZEhQQ0JRIn0sInR5cCI6ImRwb3Arand0In0.eyJqdGkiOiI2NDM0ZmFlNC00ZTYxLTQ1NDEtOTNlZC1kMzQ5ZjRiMTQ1NjEiLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9haXBkZXYudHVubi5kZXYvb2F1dGgvdG9rZW4iLCJpYXQiOjE3NDk3NjQ1MTl9.GkoB00Y-68djRHLhO5-PayNV8PWcQI1pwZaAUL3Hzppj-ga6SKMyGpPwY4kcGdHM7lvvisNkzvd7RjEmdDtnjQ";
let mut config = DpopValidationConfig::for_authorization("POST", "https://aipdev.tunn.dev/oauth/token");
config.max_age_seconds = 9000000;
let thumbprint = validate_dpop_jwt(dpop_jwt, &config)?;
assert_eq!(thumbprint.len(), 43); // SHA-256 base64url is 43 characters