3.2.5.3.3 Processing Details
When the server receives the challenge response, the server SHOULD perform the same checks that it performed to determine whether to issue an issuer based or thumbprint based certificate challenge (section 3.2.5).
If the request contains an Authorization header that has an AuthToken parameter, the server uses all of the following criteria to verify the client's proof of possession of the appropriate private key.
The Signed-JWT parameter that was generated in section 3.1.5.2.1 or section 3.1.5.3.1 has a valid signature according to the JWS specification.
The Signed-JWT parameter contains the JWS headers specified in section 2.2.1.2.
The x5c attribute of the JWS headers contains an X509 certificate that meets the proof of possession criteria for this server request.
[Client Token].nonce (section 3.1.5.2.3 or section 3.1.5.3.3) is the same as the nonce specified in the challenge (section 3.2.5.1.2 or section 3.2.5.2.2).
[Client Token].aud is the same as the URL that is being requested.
If the request contains an Authorization header, but no AuthToken parameter, the server can conclude that the client does not have an X509 certificate that meets the server's criteria.
If the request does not contain an Authorization header, the server MUST evaluate the client for a challenge as specified in section 3.2.5.1 or section 3.2.5.2.