ValidationOptions Enum
Abblix.Jwt
Abblix.Jwt
ValidationOptions Enum
Set of flags for specifying various validation options for JWT tokens. These options can be combined using bitwise operations to create a customized set of validation rules.
public enum ValidationOptions
Fields
RequireIssuer 1
Requires the issuer claim (iss) to be present in the JWT.
ValidateIssuer 2
Validates the issuer of the JWT if present. Ensures that the issuer claim (iss) matches a specified value, typically configured in the token validation parameters.
RequireAudience 4
Requires the audience claim (aud) to be present in the JWT.
ValidateAudience 8
Validates the audience of the JWT if present. Ensures that the audience claim (aud) matches one of the specified values, typically configured in the token validation parameters.
RequireSignedTokens 16
Rejects tokens issued with the unsecured "none" algorithm, ensuring that every accepted token carries a signature or MAC.
ValidateIssuerSigningKey 32
Validates the signing key of the issuer. Ensures that the key used to sign the JWT is valid and is authorized by the issuer.
ValidateLifetime 64
Validates the lifetime of the JWT. Ensures that the token is within its valid time frame of use (not expired and not yet valid if the 'nbf' claim is specified).
UseEmbeddedVerificationKey 128
Switches signature validation to the embedded-key trust model: the signing key
is taken from the JOSE header's jwk parameter
(VerificationKey) and the issuer-resolved-keys
delegate is bypassed entirely. Set this flag only on validation paths whose
protocol design explicitly trusts the proof to carry its own key (DPoP per
RFC 9449 §4.2 is the canonical example).
Remarks
Auto-trusting an embedded JWK without an opt-in is a known JWT antipattern: an
attacker who controls the token header could substitute their own key. The flag
is the explicit caller-side declaration "I am validating a proof whose trust
model is embedded-key, not issuer-resolved-key." When the flag is set the JOSE
header MUST carry a valid jwk parameter; absence is an error.
RequireValidIssuer 3
Requires and validates the issuer claim (iss). Combines RequireIssuer and ValidateIssuer flags.
RequireValidAudience 12
Requires and validates the audience claim (aud). Combines RequireAudience and ValidateAudience flags.
RequireValidSignedTokens 48
Requires and validates signed tokens. Combines RequireSignedTokens and ValidateIssuerSigningKey flags.
Default 127
Default validation options that include validating the issuer, audience, presence of a signature, validation of the issuer's signing key, and the token's lifetime. This is a common set of validations providing a standard level of security.