| AuthorizationContext | Represents the context of an authorization process, encapsulating the key parameters required for processing authorization requests. |
| AuthorizationContextExtensions | Provides extension methods for working with AuthorizationContext objects, facilitating the conversion between authorization contexts and JWT claims. |
| ClaimsExtensions | Helpers for working with System.Security.Claims.ClaimsPrincipal and System.Security.Claims.Claim sequences: classify claims as registered/public/private (per IANA), filter or replace them by type, and look up values by claim name in a case-insensitive manner. |
| Cookie | Represents an HTTP cookie along with its options. |
| CookieOptions | Represents options for an HTTP cookie, including properties for HTTP-only, essential, secure, path, domain, SameSite attribute, expiration, and maximum age. |
| HttpRequestMessageExtensions | Extension methods for System.Net.Http.HttpRequestMessage. |
| InvalidDPoPProofError | Subtype of OidcError tagging an RFC 9449 §7.1 DPoP proof rejection at a protected endpoint (UserInfo, introspection, revocation). The typed marker lets the response formatter pattern-match deterministically and emit the WWW-Authenticate: DPoP error="invalid_dpop_proof" challenge instead of a Bearer challenge, without string-comparing the error code. Mirrors UseDPoPNonceError. |
| JsonWebKeyExtensions | Provides extensions for asynchronous operations on a sequence of JsonWebKey objects. |
| MissingAuthenticationError | Subtype of OidcError tagging a request to a protected endpoint that carried no authentication information at all. RFC 6750 §3.1: in that case the challenge SHOULD NOT include an error code or other error attributes — a bare WWW-Authenticate header simply tells the client that authentication is required. The error code still drives the internal 401 status-code mapping; only the challenge attributes are suppressed by the builder. Mirrors InvalidDPoPProofError as a typed marker for deterministic pattern matching. |
| OidcError | Represents an error that occurred during OAuth 2.0/OpenID Connect request processing. |
| ParametersProvider | Extracts parameters from an object by serializing it to a JSON element and enumerating its properties. Pure System.Text.Json, framework-neutral — the single implementation both the MVC and Minimal API transports use. |
| UseDPoPNonceError | Subtype of OidcError that signals an RFC 9449 §8 nonce-challenge: the DPoP proof either omitted the nonce claim or carried a stale one, and the server is responding with use_dpop_nonce plus a fresh nonce the client must echo on the next attempt. The carried Nonce value travels out through the response formatter as the DPoP-Nonce HTTP header alongside the standard error envelope — the body shape stays {error, error_description}; the nonce rides on a header, not in the JSON. |
| WwwAuthenticateBuilder | Builds WWW-Authenticate challenge values for the Bearer scheme (RFC 6750 §3) and the DPoP scheme (RFC 9449 §7.1). Endpoint-agnostic and framework-agnostic so the same emission logic serves UserInfo, introspection, revocation, and any future protected endpoint, regardless of whether the host is ASP.NET Core MVC, minimal APIs, or another framework altogether. |