Skip to main content

JsonWebTokenPayload Class

Abblix.Jwt

Abblix.Jwt

JsonWebTokenPayload Class

Represents the payload part of a JSON Web Token (JWT), containing the claims or statements about the subject.

public class JsonWebTokenPayload

Inheritance System.Object → JsonWebTokenPayload

Remarks

The JWT payload is a JSON object that contains the claims transmitted by the token. Standard claims such as issuer, subject, expiration time, and more can be included, as well as additional claims as needed. This class provides a convenient way to work with the payload, allowing for easy access and modification of claims.

Constructors

JsonWebTokenPayload(JsonObject) Constructor

Represents the payload part of a JSON Web Token (JWT), containing the claims or statements about the subject.

public JsonWebTokenPayload(System.Text.Json.Nodes.JsonObject json);

Parameters

json System.Text.Json.Nodes.JsonObject

Remarks

The JWT payload is a JSON object that contains the claims transmitted by the token. Standard claims such as issuer, subject, expiration time, and more can be included, as well as additional claims as needed. This class provides a convenient way to work with the payload, allowing for easy access and modification of claims.

Properties

JsonWebTokenPayload.Audiences Property

The intended audiences for the JWT.

public System.Collections.Generic.IEnumerable<string> Audiences { get; set; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

JsonWebTokenPayload.AuthContextClassRef Property

Represents the Authentication Context Class Reference (ACR) indicating the authentication context achieved during authentication.

public string? AuthContextClassRef { get; set; }

Property Value

System.String

Remarks

In federated and multi-tenant environments, the acr claim helps assert that the user was authenticated under a specific assurance level (e.g., "urn:openbanking:psd2:sca" or "loa3").

This is particularly important for applications that integrate with external identity providers, regulatory domains (such as finance or healthcare), or environments where different tenants require varying levels of authentication rigor. The ACR value enables relying parties to make access decisions based on agreed-upon trust frameworks and security profiles.

JsonWebTokenPayload.AuthenticationMethodReferences Property

A list of authentication methods used to authenticate the subject, represented as Authentication Method Reference (AMR) values.

public System.Collections.Generic.IEnumerable<string>? AuthenticationMethodReferences { get; set; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

Remarks

In multi-tenant and federated identity systems, this claim helps relying parties understand the authentication strength applied to a user session.

Each value in the list corresponds to a specific method used during authentication, such as "pwd" (password), "mfa" (multi-factor authentication), "otp" (one-time password), or "fido" (FIDO-based authentication).

These values support policy enforcement at the tenant level, allowing services to require particular authentication methods (e.g., tenants enforcing MFA) or to provide differentiated access based on authentication robustness.

JsonWebTokenPayload.AuthenticationTime Property

Represents the time when the authentication occurred, facilitating checks against token freshness and replay attacks.

public System.Nullable<System.DateTimeOffset> AuthenticationTime { get; set; }

Property Value

System.Nullable<System.DateTimeOffset>

Remarks

Storing the authentication time is critical for applications requiring a high level of assurance regarding the moment a user was authenticated, allowing for precise control over session validity and user authentication status.

JsonWebTokenPayload.AuthorizationDetails Property

The RFC 9396 authorization_details claim as a sequence of typed wrappers over the underlying System.Text.Json.Nodes.JsonArray stored at Json[authorization_details]. Each wrapper shares its System.Text.Json.Nodes.JsonNode reference with the corresponding array element — read-through is byte-exact, and property setters on a wrapper mutate the underlying claim in place. Assigning a new sequence rebuilds the raw array via ToRawJsonArray(this IEnumerable<AuthorizationDetail>), deep-cloning each entry's Json to detach parent ownership; assigning null removes the claim. For direct raw access bypass this accessor and use the Json indexer at IanaClaimTypes.AuthorizationDetails.

public System.Collections.Generic.IEnumerable<Abblix.Jwt.AuthorizationDetail>? AuthorizationDetails { get; set; }

Property Value

System.Collections.Generic.IEnumerable<AuthorizationDetail>

JsonWebTokenPayload.AuthorizedParty Property

The authorized party (azp) the JWT was issued to. OpenID Connect Core mandates this claim in an id_token when there is a single audience that differs from the issuer, and whenever the token has more than one audience, naming the party the token was minted for.

public string? AuthorizedParty { get; set; }

Property Value

System.String

JsonWebTokenPayload.ClientId Property

The client ID for which the JWT was issued, identifying the client application in OAuth 2.0 and OpenID Connect flows.

public string? ClientId { get; set; }

Property Value

System.String

Remarks

This property is crucial in scenarios where the JWT is used to convey or assert the identity of a client application to the authorization server or resource server.

JsonWebTokenPayload.Confirmation Property

The proof-of-possession confirmation object (RFC 7800 §3.1 cnf) bound to this JWT. Carries each binding the token holds — cnf.x5t#S256 for mTLS-bound tokens (RFC 8705 §3.1) and cnf.jkt for DPoP-bound tokens (RFC 9449 §6.1) — behind typed accessors. Assignment writes the wrapped System.Text.Json.Nodes.JsonObject as the cnf claim; assigning null removes the claim.

public Abblix.Jwt.JsonWebTokenConfirmation? Confirmation { get; set; }

Property Value

JsonWebTokenConfirmation

JsonWebTokenPayload.DPoPAccessTokenHash Property

The access-token hash bound by a DPoP proof when one accompanies an access token (RFC 9449 §4.2 ath): Base64Url(SHA-256(access_token)).

public string? DPoPAccessTokenHash { get; set; }

Property Value

System.String

JsonWebTokenPayload.DPoPHttpMethod Property

The HTTP method bound by a DPoP proof (RFC 9449 §4.2 htm). Compared byte-exact against the current request method on the server side.

public string? DPoPHttpMethod { get; set; }

Property Value

System.String

JsonWebTokenPayload.DPoPHttpUri Property

The HTTP URI bound by a DPoP proof (RFC 9449 §4.2 htu). Returned as the raw claim string so callers keep the three-way "missing / unparseable / mismatched" distinction; parsing into a System.Uri belongs to the comparison step.

public string? DPoPHttpUri { get; set; }

Property Value

System.String

JsonWebTokenPayload.Email Property

The email address of the subject.

public string? Email { get; set; }

Property Value

System.String

Remarks

When the subject uses external authentication (Google, Microsoft, etc.) or authenticates via email verification, this property contains the exact email used during authentication, ensuring the email claim in ID tokens reflects the authentication method rather than the primary email from the user's profile.

JsonWebTokenPayload.EmailVerified Property

Indicates whether the email address has been verified.

public System.Nullable<bool> EmailVerified { get; set; }

Property Value

System.Nullable<System.Boolean>

Remarks

For external providers that verify emails or when email verification has been completed through challenge flows, this value is set to true. This is used in the email_verified claim in ID tokens.

JsonWebTokenPayload.ExpiresAt Property

The expiration time on or after which the JWT must not be accepted for processing, represented as a Unix timestamp.

public System.Nullable<System.DateTimeOffset> ExpiresAt { get; set; }

Property Value

System.Nullable<System.DateTimeOffset>

JsonWebTokenPayload.GrantId Property

Identifies the authorization grant this refresh token belongs to, binding it to the lineage of every refresh token derived from the same grant. A first-issued token starts a new grant; each rotation carries the value forward, so a detected replay can revoke the whole family in one registry write (RFC 9700 Section 4.14.2).

public string? GrantId { get; set; }

Property Value

System.String

Remarks

Present only on refresh tokens (rt+jwt); absent (null) on all other token types, which leaves the family cascade in the token-status validator inert for them.

JsonWebTokenPayload.IdentityProvider Property

Identifies the identity provider that authenticated the end user, useful in federated identity scenarios.

public string? IdentityProvider { get; set; }

Property Value

System.String

Remarks

This claim is particularly relevant in systems that support multiple identity providers, helping to trace the origin of the authentication and ensuring that the JWT can be validated appropriately.

JsonWebTokenPayload.IssuedAt Property

The time at which the JWT was issued, represented as a Unix timestamp.

public System.Nullable<System.DateTimeOffset> IssuedAt { get; set; }

Property Value

System.Nullable<System.DateTimeOffset>

JsonWebTokenPayload.Issuer Property

The issuer of the JWT.

public string? Issuer { get; set; }

Property Value

System.String

JsonWebTokenPayload.Json Property

The underlying mutable JSON object backing the strongly-typed accessors on this payload. Use this for custom claims that are not exposed as named properties on this class.

public System.Text.Json.Nodes.JsonObject Json { get; }

Property Value

System.Text.Json.Nodes.JsonObject

JsonWebTokenPayload.JwtId Property

The unique identifier of the JWT.

public string? JwtId { get; set; }

Property Value

System.String

JsonWebTokenPayload.Nonce Property

A value used to associate a client session with an ID token, mitigating replay attacks.

public string? Nonce { get; set; }

Property Value

System.String

JsonWebTokenPayload.NotBefore Property

The time before which the JWT must not be accepted for processing, represented as a Unix timestamp.

public System.Nullable<System.DateTimeOffset> NotBefore { get; set; }

Property Value

System.Nullable<System.DateTimeOffset>

JsonWebTokenPayload.Scope Property

The scope of access granted by the JWT. Scope is typically a space-separated list of permissions or access levels and is not part of the standard JWT claims.

public System.Collections.Generic.IEnumerable<string> Scope { get; set; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

Remarks

The 'scope' claim is often used in OAuth 2.0 and OpenID Connect contexts to specify the extent of access granted by the token. Each value in the list represents a specific permission or access level granted to the token bearer. This property ensures that the scope is represented appropriately as either a single value or an array of values.

JsonWebTokenPayload.SessionId Property

The session ID associated with the JWT, typically used to manage session state across applications.

public string? SessionId { get; set; }

Property Value

System.String

Remarks

The session ID can link the JWT to a specific session for the user, allowing for effective session management and security controls.

JsonWebTokenPayload.Subject Property

The subject of the JWT. The subject typically represents the principal that is the focus of the JWT, often a user identifier.

public string? Subject { get; set; }

Property Value

System.String

Remarks

The 'sub' (subject) claim is a standard claim in JWTs used to uniquely identify the principal, usually in the context of authentication or user identity. It is commonly a user ID or username.

JsonWebTokenPayload.this[string] Property

Indexer to get or set claim values in the payload using the claim name.

public System.Text.Json.Nodes.JsonNode? this[string name] { get; set; }

Parameters

name System.String

The name of the claim.

Property Value

System.Text.Json.Nodes.JsonNode