Skip to main content

ValidationParameters Class

Abblix.Jwt

Abblix.Jwt

ValidationParameters Class

Defines parameters used during the validation of a JSON Web Token (JWT).

public record ValidationParameters : System.IEquatable<Abblix.Jwt.ValidationParameters>

Inheritance System.Object → ValidationParameters

Implements System.IEquatable<ValidationParameters>

Properties

ValidationParameters.AllowedSigningAlgorithms Property

JWS signing algorithms (per RFC 7518) that the validator MUST accept; any other alg in the JOSE header causes rejection. When null or empty the check is skipped — the validator only enforces the basic RequireSignedTokens rule (which forbids none) and lets any registered signer match.

public System.Collections.Generic.IReadOnlySet<string>? AllowedSigningAlgorithms { get; init; }

Property Value

System.Collections.Generic.IReadOnlySet<System.String>

Remarks

Use this to express policy beyond "signed-or-not" without writing per-algorithm matchers in callers: pass the asymmetric-only set to enforce DPoP RFC 9449 §4.2, pass {RS256, ES256} to require small-footprint algorithms only, and so on. Comparison is byte-exact per RFC 7515 §5.3.

ValidationParameters.ClockSkew Property

Time window applied to accommodate clock discrepancies when validating timestamps.

public System.TimeSpan ClockSkew { get; set; }

Property Value

System.TimeSpan

ValidationParameters.ExpectedTokenTypes Property

Token-type values (per RFC 7515 §4.1.9 typ header) that the JWT MUST match. When non-null and non-empty the validator pins typ per RFC 8725 §3.11 to prevent token-class confusion: a JWS signed for one class (id_token, logout_token, request_object, DPoP proof, JARM response, OAuth access_token) cannot be replayed as another by relying parties that trust the same issuer for several classes.

public System.Collections.Generic.IReadOnlySet<string>? ExpectedTokenTypes { get; init; }

Property Value

System.Collections.Generic.IReadOnlySet<System.String>

Remarks

Comparison follows the spec rules: case-sensitive (RFC 7515 §5.3), with the application/-prefix-stripping convention from §4.1.9 applied before lookup — typ=at+jwt and typ=application/at+jwt are accepted equivalently. When this property is null or empty the validator skips the check, preserving historical behaviour for callers that have not opted in.

ValidationParameters.Options Property

Options that control various aspects of JWT validation.

public Abblix.Jwt.ValidationOptions Options { get; init; }

Property Value

ValidationOptions

ValidationParameters.ResolveIssuerSigningKeys Property

Delegate that resolves the signing keys for a given issuer, used during token signature validation.

public Abblix.Jwt.ValidationParameters.ResolveIssuerSigningKeysDelegate? ResolveIssuerSigningKeys { get; set; }

Property Value

ResolveIssuerSigningKeysDelegate(string)

ValidationParameters.ResolveTokenDecryptionKeys Property

Delegate that resolves decryption keys for a given issuer, used during token decryption.

public Abblix.Jwt.ValidationParameters.ResolveTokenDecryptionKeysDelegate? ResolveTokenDecryptionKeys { get; set; }

Property Value

ResolveTokenDecryptionKeysDelegate(string)

ValidationParameters.ValidateAudience Property

Delegate used to validate one or more token audiences.

public Abblix.Jwt.ValidationParameters.ValidateAudienceDelegate? ValidateAudience { get; set; }

Property Value

ValidateAudienceDelegate(IEnumerable<string>)

ValidationParameters.ValidateIssuer Property

Delegate used to verify the validity of a token issuer.

public Abblix.Jwt.ValidationParameters.ValidateIssuersDelegate? ValidateIssuer { get; set; }

Property Value

ValidateIssuersDelegate(string)