Skip to main content

ValidationOptions Enum

Abblix.Jwt

Abblix.Jwt

ValidationOptions Enum

Set of flags for specifying various validation options for JWT tokens. These options can be combined using bitwise operations to create a customized set of validation rules.

public enum ValidationOptions

Fields

RequireIssuer 1

Requires the issuer claim (iss) to be present in the JWT.

ValidateIssuer 2

Validates the issuer of the JWT if present. Ensures that the issuer claim (iss) matches a specified value, typically configured in the token validation parameters.

RequireAudience 4

Requires the audience claim (aud) to be present in the JWT.

ValidateAudience 8

Validates the audience of the JWT if present. Ensures that the audience claim (aud) matches one of the specified values, typically configured in the token validation parameters.

RequireSignedTokens 16

Rejects tokens issued with the unsecured "none" algorithm, ensuring that every accepted token carries a signature or MAC.

ValidateIssuerSigningKey 32

Validates the signing key of the issuer. Ensures that the key used to sign the JWT is valid and is authorized by the issuer.

ValidateLifetime 64

Validates the lifetime of the JWT. Ensures that the token is within its valid time frame of use (not expired and not yet valid if the 'nbf' claim is specified).

UseEmbeddedVerificationKey 128

Switches signature validation to the embedded-key trust model: the signing key is taken from the JOSE header's jwk parameter (VerificationKey) and the issuer-resolved-keys delegate is bypassed entirely. Set this flag only on validation paths whose protocol design explicitly trusts the proof to carry its own key (DPoP per RFC 9449 §4.2 is the canonical example).

Remarks

Auto-trusting an embedded JWK without an opt-in is a known JWT antipattern: an attacker who controls the token header could substitute their own key. The flag is the explicit caller-side declaration "I am validating a proof whose trust model is embedded-key, not issuer-resolved-key." When the flag is set the JOSE header MUST carry a valid jwk parameter; absence is an error.

RequireValidIssuer 3

Requires and validates the issuer claim (iss). Combines RequireIssuer and ValidateIssuer flags.

RequireValidAudience 12

Requires and validates the audience claim (aud). Combines RequireAudience and ValidateAudience flags.

RequireValidSignedTokens 48

Requires and validates signed tokens. Combines RequireSignedTokens and ValidateIssuerSigningKey flags.

Default 127

Default validation options that include validating the issuer, audience, presence of a signature, validation of the issuer's signing key, and the token's lifetime. This is a common set of validations providing a standard level of security.