auth.provider API
    Preparing search index...

    Interface TokenBindingMechanism

    One concrete binding mechanism (DPoP, mTLS, etc.). See Wave 2 Token-binding Cluster spec §4.7.

    interface TokenBindingMechanism {
        intentExplicit: boolean;
        kind: string;
        extract(req: Request): Promise<TokenBinding | null>;
    }
    Index

    Properties

    Methods

    Properties

    intentExplicit: boolean

    true when the mechanism's intent signal is an explicit application- layer construction (e.g. a DPoP proof header). false when the signal can be an ambient transport artifact (e.g. an mTLS cert injected by a reverse proxy regardless of client intent).

    kind: string

    Methods

    • Return a TokenBinding of this mechanism's kind, null when the intent signal is absent, or throw a structured error when the signal is present but the proof / cert is invalid. The thrown value MAY carry a code: string field matching /^[a-z][a-z0-9_]*$/ — that code is forwarded as the OAuth error field of the 400 response. Errors without a snake_case code fall back to invalid_<kind>_proof so infrastructure-layer codes (e.g. Node ECONNREFUSED) do not leak through the public error envelope.

      Parameters

      • req: Request

      Returns Promise<TokenBinding | null>