From dce724d0e14411f5332fc74731edf0c4909b2f6a Mon Sep 17 00:00:00 2001
From: Ben Peachey <github@pother.ca>
Date: Sun, 14 Jun 2026 15:21:22 +0200
Subject: [PATCH] Add check for 'ath' claim

Updated JWT DPoP validation to check for 'ath' claim and throw an exception if missing.
---
 src/Utils/DPop.php | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/src/Utils/DPop.php b/src/Utils/DPop.php
index eb1c7c9..2cc3d52 100644
--- a/src/Utils/DPop.php
+++ b/src/Utils/DPop.php
@@ -166,17 +166,18 @@ public function makeJwkThumbprint($jwk) {
 	public function validateJwtDpop($jwt, $dpop, $request) {
 		$this->validateDpop($dpop, $request);
 		$jwtConfig = Configuration::forUnsecuredSigner();
-		$jwtConfig->parser()->parse($dpop);
-
-		/**
-		 * @FIXME: ATH claim is not yet supported/required by the Solid OIDC specification.
-		 *         Once the Solid spec catches up to the DPOP spec, not having an ATH is incorrect.
-		 *         At that point, instead of returning "true", throw an exception:
-		 *
-		 * @see https://github.com/pdsinterop/php-solid-auth/issues/34
-		 */
-		// throw new InvalidTokenException('DPoP "ath" claim is missing');
-		return true;
+		$dpopJWT = $jwtConfig->parser()->parse($dpop);
+		
+		$ath = $dpopJWT->claims()->get('ath');
+
+		if ($ath === null) {
+			throw new InvalidTokenException('DPoP "ath" claim is missing');
+		}
+		
+		$hash    = hash('sha256', $jwt);
+		$encoded = Base64Url::encode($hash);
+	
+		return ($ath === $encoded);
 	}
 
 	/**