ValidationParameters Class
Abblix.Jwt
Abblix.Jwt
ValidationParameters Class
Defines parameters used during the validation of a JSON Web Token (JWT).
public record ValidationParameters : System.IEquatable<Abblix.Jwt.ValidationParameters>
Inheritance System.Object → ValidationParameters
Implements System.IEquatable<ValidationParameters>
Properties
ValidationParameters.AllowedSigningAlgorithms Property
JWS signing algorithms (per RFC 7518) that the validator MUST accept; any other
alg in the JOSE header causes rejection. When null or empty the
check is skipped — the validator only enforces the basic
RequireSignedTokens rule (which forbids
none) and lets any registered signer match.
public System.Collections.Generic.IReadOnlySet<string>? AllowedSigningAlgorithms { get; init; }
Property Value
System.Collections.Generic.IReadOnlySet<System.String>
Remarks
Use this to express policy beyond "signed-or-not" without writing per-algorithm matchers in callers: pass the asymmetric-only set to enforce DPoP RFC 9449 §4.2, pass {RS256, ES256} to require small-footprint algorithms only, and so on. Comparison is byte-exact per RFC 7515 §5.3.
ValidationParameters.ClockSkew Property
Time window applied to accommodate clock discrepancies when validating timestamps.
public System.TimeSpan ClockSkew { get; set; }
Property Value
ValidationParameters.ExpectedTokenTypes Property
Token-type values (per RFC 7515 §4.1.9 typ header) that the JWT MUST match.
When non-null and non-empty the validator pins typ per RFC 8725 §3.11 to
prevent token-class confusion: a JWS signed for one class (id_token, logout_token,
request_object, DPoP proof, JARM response, OAuth access_token) cannot be replayed
as another by relying parties that trust the same issuer for several classes.
public System.Collections.Generic.IReadOnlySet<string>? ExpectedTokenTypes { get; init; }
Property Value
System.Collections.Generic.IReadOnlySet<System.String>
Remarks
Comparison follows the spec rules: case-sensitive (RFC 7515 §5.3), with the
application/-prefix-stripping convention from §4.1.9 applied before lookup
— typ=at+jwt and typ=application/at+jwt are accepted equivalently.
When this property is null or empty the validator skips the check, preserving
historical behaviour for callers that have not opted in.
ValidationParameters.Options Property
Options that control various aspects of JWT validation.
public Abblix.Jwt.ValidationOptions Options { get; init; }
Property Value
ValidationParameters.ResolveIssuerSigningKeys Property
Delegate that resolves the signing keys for a given issuer, used during token signature validation.
public Abblix.Jwt.ValidationParameters.ResolveIssuerSigningKeysDelegate? ResolveIssuerSigningKeys { get; set; }
Property Value
ResolveIssuerSigningKeysDelegate(string)
ValidationParameters.ResolveTokenDecryptionKeys Property
Delegate that resolves decryption keys for a given issuer, used during token decryption.
public Abblix.Jwt.ValidationParameters.ResolveTokenDecryptionKeysDelegate? ResolveTokenDecryptionKeys { get; set; }
Property Value
ResolveTokenDecryptionKeysDelegate(string)
ValidationParameters.ValidateAudience Property
Delegate used to validate one or more token audiences.
public Abblix.Jwt.ValidationParameters.ValidateAudienceDelegate? ValidateAudience { get; set; }
Property Value
ValidateAudienceDelegate(IEnumerable<string>)
ValidationParameters.ValidateIssuer Property
Delegate used to verify the validity of a token issuer.
public Abblix.Jwt.ValidationParameters.ValidateIssuersDelegate? ValidateIssuer { get; set; }