Add DPoP (RFC 9449) proof creation and server-side validation

Wilson.sln

@@ -105,6 +105,10 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "build", "build", "{BC99A01F
 		build\version.props = build\version.props
 	EndProjectSection
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.IdentityModel.Dpop", "src\Microsoft.IdentityModel.Dpop\Microsoft.IdentityModel.Dpop.csproj", "{38D1BFCB-F8A9-488C-B930-58CA61DC3F08}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.IdentityModel.Dpop.Tests", "test\Microsoft.IdentityModel.Dpop.Tests\Microsoft.IdentityModel.Dpop.Tests.csproj", "{38185C55-DF58-4032-BB85-599BC1D92169}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -227,6 +231,14 @@ Global
 		{F1BB31E4-8865-4425-8BD4-94F1815C16E0}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{F1BB31E4-8865-4425-8BD4-94F1815C16E0}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{F1BB31E4-8865-4425-8BD4-94F1815C16E0}.Release|Any CPU.Build.0 = Release|Any CPU
+		{38D1BFCB-F8A9-488C-B930-58CA61DC3F08}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{38D1BFCB-F8A9-488C-B930-58CA61DC3F08}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{38D1BFCB-F8A9-488C-B930-58CA61DC3F08}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{38D1BFCB-F8A9-488C-B930-58CA61DC3F08}.Release|Any CPU.Build.0 = Release|Any CPU
+		{38185C55-DF58-4032-BB85-599BC1D92169}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{38185C55-DF58-4032-BB85-599BC1D92169}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{38185C55-DF58-4032-BB85-599BC1D92169}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{38185C55-DF58-4032-BB85-599BC1D92169}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -262,6 +274,8 @@ Global
 		{EF9A4431-6D2C-4DD1-BF6B-6F2CC619DEE1} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
 		{8105289F-3D54-4054-9738-5985F3B6CF2C} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
 		{F1BB31E4-8865-4425-8BD4-94F1815C16E0} = {2F79F3C4-F4E3-46DD-8B34-8EF403A6F7F5}
+		{38D1BFCB-F8A9-488C-B930-58CA61DC3F08} = {BD2706C5-6C57-484D-89C8-A0CF5F8E3D19}
+		{38185C55-DF58-4032-BB85-599BC1D92169} = {8905D2E3-4499-4A86-BF3E-F098F228DD59}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {2F681326-7ED4-45F6-BD1D-1119EA388F42}

buildConfiguration.xml

@@ -18,6 +18,7 @@
       <project name="Microsoft.IdentityModel.Abstractions" />
       <project name="Microsoft.IdentityModel.TestExtensions" />
       <project name="Microsoft.IdentityModel.LoggingExtensions" />
+      <project name="Microsoft.IdentityModel.Dpop" />
     </src>
     <test>
       <project name="Microsoft.IdentityModel.Logging.Tests" test="yes"/>
@@ -32,6 +33,7 @@
       <project name="Microsoft.IdentityModel.Protocols.OpenIdConnect.Tests" test="yes" />
       <project name="Microsoft.IdentityModel.Protocols.SignedHttpRequest.Tests" test="yes" />
       <project name="Microsoft.IdentityModel.Validators.Tests" test="yes" />
+      <project name="Microsoft.IdentityModel.Dpop.Tests" test="yes" />
       <!-- <project name="Microsoft.IdentityModel.AotCompatibility.Tests" test="yes" /> -->
     </test>
   </projects>

src/Microsoft.IdentityModel.Dpop/DPoPClaimTypes.cs

@@ -0,0 +1,28 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.IdentityModel.Dpop;
+
+/// <summary>
+/// DPoP-specific JWT claim type names per RFC 9449.
+/// </summary>
+public static class DPoPClaimTypes
+{
+    /// <summary>The HTTP method claim.</summary>
+    public const string Htm = "htm";
+
+    /// <summary>The HTTP URI claim.</summary>
+    public const string Htu = "htu";
+
+    /// <summary>The issued-at timestamp claim.</summary>
+    public const string Iat = "iat";
+
+    /// <summary>The JWT unique identifier claim.</summary>
+    public const string Jti = "jti";
+
+    /// <summary>The access token hash claim.</summary>
+    public const string Ath = "ath";
+
+    /// <summary>The server-provided nonce claim.</summary>
+    public const string Nonce = "nonce";
+}

src/Microsoft.IdentityModel.Dpop/DPoPConstants.cs

@@ -0,0 +1,29 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.IdentityModel.Dpop;
+
+/// <summary>
+/// Constants for DPoP (Demonstrating Proof-of-Possession at the Application Layer) per RFC 9449.
+/// </summary>
+/// <remarks>
+/// Claim types are in <see cref="DPoPClaimTypes"/>.
+/// Error codes are in <see cref="DPoPErrorCodes"/>.
+/// </remarks>
+public static class DPoPConstants
+{
+    /// <summary>
+    /// The DPoP token type.
+    /// </summary>
+    public const string DPoPTokenType = "DPoP";
+
+    /// <summary>
+    /// The required <c>typ</c> header value for DPoP proof JWTs.
+    /// </summary>
+    public const string DPoPProofTokenType = "dpop+jwt";
+
+    /// <summary>
+    /// The DPoP nonce HTTP header name.
+    /// </summary>
+    public const string DPoPNonceHeaderName = "DPoP-Nonce";
+}

src/Microsoft.IdentityModel.Dpop/DPoPErrorCodes.cs

@@ -0,0 +1,19 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+namespace Microsoft.IdentityModel.Dpop;
+
+/// <summary>
+/// RFC 9449 error codes for DPoP validation failures.
+/// </summary>
+public static class DPoPErrorCodes
+{
+    /// <summary>The server requires a DPoP nonce.</summary>
+    public const string UseDPoPNonce = "use_dpop_nonce";
+
+    /// <summary>The token is invalid.</summary>
+    public const string InvalidToken = "invalid_token";
+
+    /// <summary>The request is invalid (e.g., missing DPoP proof).</summary>
+    public const string InvalidRequest = "invalid_request";
+}