Client-side OAuth 2.0 / OpenID Connect / FAPI 2.0 artifacts and verification.
AttestoClient is the relying-party (client) counterpart to
attesto (the authorization server). Where
attesto verifies client artifacts and issues server artifacts with the
authorization server's keystore, this library builds client-side wire
artifacts and verifies the server artifacts a client receives:
AttestoClient.ClientAssertion- build aprivate_key_jwtclient authentication assertion (RFC 7523 / OpenID Connect Core §9).AttestoClient.RequestObject- build a signed authorization request object (JAR, RFC 9101 / FAPI 2.0 Message Signing §5.3.1).AttestoClient.IDToken- verify OpenID Connect ID Tokens, including nonce,max_age, andat_hash/c_hash/s_hash.AttestoClient.JARM- verify a signed authorization response (JARM, FAPI 2.0 Message Signing §5.4).AttestoClient.IdentityAssertion- build Identity Assertion JWT Authorization Grant assertions (ID-JAG / EMA).AttestoClient.PKCE- generate S256 PKCE verifier/challenge pairs.AttestoClient.SignedIntrospection- verify RFC 9701 signed introspection responses.AttestoClient.UserInfo- verify signed OpenID Connect UserInfo responses.AttestoClient.Discovery- fetch and read authorization-server metadata and JWKS (RFC 8414 / OpenID Connect Discovery 1.0).
It is deliberately not a full OAuth client framework: it has no flow
orchestrator, token store, or session handling. It produces and checks the
cryptographic, wire-format artifacts an OAuth/OIDC/FAPI client needs, leaving
HTTP orchestration to the host (DPoP-bound requests are
req_dpop's job).
Assurance
The build-side artifacts carry cross-language parity tests where practical, and the mirror modules are covered by in-family interop tests against the corresponding attesto server-side issuer or verifier.