Skip to main content

AuthorizationContext Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Common

AuthorizationContext Class

Represents the context of an authorization process, encapsulating the key parameters required for processing authorization requests.

public record AuthorizationContext : System.IEquatable<Abblix.Oidc.Server.Common.AuthorizationContext>

Inheritance System.Object → AuthorizationContext

Implements System.IEquatable<AuthorizationContext>

Remarks

This record is pivotal for tracking the state of an authorization request throughout its lifecycle. It encapsulates details that are critical for the secure issuance of authorization codes and tokens, while ensuring compliance with OAuth 2.0 and OpenID Connect protocols. The context facilitates not just the validation of requests at the token endpoint, but also supports secure interactions by incorporating mechanisms like PKCE and nonce values to mitigate common attack vectors such as code injection and replay attacks. Furthermore, it carries information about requested scopes and claims, enabling fine-grained access control and personalized identity assertion in accordance with the client's needs and the authorization server's policies.

Constructors

AuthorizationContext(string, ScopeDefinition[], ResourceDefinition[], RequestedClaims) Constructor

Initializes a new instance of the AuthorizationContext class with a client ID, a collection of scopes, and optional requested claims.

public AuthorizationContext(string clientId, Abblix.Oidc.Server.Common.Constants.ScopeDefinition[] scopes, Abblix.Oidc.Server.Common.Constants.ResourceDefinition[] resources, Abblix.Oidc.Server.Model.RequestedClaims? requestedClaims);

Parameters

clientId System.String

The unique identifier of the client making the authorization request.

scopes ScopeDefinition[]

An array of scope definitions requested by the client.

resources ResourceDefinition[]

An array of resource definitions associated with the authorization request.

requestedClaims RequestedClaims

Optional claims requested by the client for the authorization process.

AuthorizationContext(string, string[], RequestedClaims, Uri[]) Constructor

Initializes a new instance of the AuthorizationContext class.

public AuthorizationContext(string clientId, string[] scope, Abblix.Oidc.Server.Model.RequestedClaims? requestedClaims, System.Uri[]? resources=null);

Parameters

clientId System.String

The unique identifier of the client making the authorization request.

scope System.String[]

An array of scope values requested by the client, representing the access permissions being sought.

requestedClaims RequestedClaims

Optional claims that the client is requesting as part of the authorization process, providing additional information about the user's identity.

resources System.Uri[]

Optional RFC 8707 resource indicators (absolute URIs) the issued token is bound to. This is the single construction point every path funnels the resource set through: the direct grants (client_credentials, password, jwt-bearer, token-exchange), the authorize/CIBA/device path (via the ScopeDefinition/ResourceDefinition overload below), and the JWT round-trip. An empty set is canonicalized to null (no audience restriction).

Properties

AuthorizationContext.Actor Property

RFC 8693 §4.1 act claim: the actor party (in delegation flows) the issued token represents. Stored as a raw System.Text.Json.Nodes.JsonObject so nested delegation chains are preserved byte-exact through storage. null for impersonation flows and for non-Token-Exchange grants.

public System.Text.Json.Nodes.JsonObject? Actor { get; init; }

Property Value

System.Text.Json.Nodes.JsonObject

AuthorizationContext.Audiences Property

RFC 8693 §2.1 audience request parameter passed through to the issued token. Logical names of the relying party for which the requested token is intended. Distinct from Resources (RFC 8707 absolute URIs); audience values are opaque strings. JWT emission folds both Resources and Audiences into the aud claim.

public string[]? Audiences { get; init; }

Property Value

System.String[]

AuthorizationContext.AuthorizationDetails Property

The RFC 9396 Rich Authorization Requests array stored as a raw System.Text.Json.Nodes.JsonArray. This is the source of truth — preserved byte-exact (member order, type-specific payload) through the authorize → code → token round-trip and protobuf persistence, without lossy typed deserialise / re-serialise cycles.

public System.Text.Json.Nodes.JsonArray? AuthorizationDetails { get; init; }

Property Value

System.Text.Json.Nodes.JsonArray

AuthorizationContext.CertificateSha256Thumbprint Property

Base64url-encoded SHA-256 thumbprint of the client X.509 certificate used at the token endpoint for mutual TLS client authentication. When present, access tokens carry a confirmation claim (cnf) containing x5t#S256 equal to this value (RFC 8705 §3.1).

public string? CertificateSha256Thumbprint { get; init; }

Property Value

System.String

AuthorizationContext.ClientId Property

The unique identifier for the client making the authorization request, as registered in the authorization server. This identifier is crucial for linking the authorization request and the issued tokens to a specific client application.

public string ClientId { get; init; }

Property Value

System.String

AuthorizationContext.CodeChallenge Property

The high-entropy cryptographic string provided by the client, used in the PKCE (Proof Key for Code Exchange) extension to secure the exchange of the authorization code for a token, especially in public clients and mobile applications.

public string? CodeChallenge { get; init; }

Property Value

System.String

AuthorizationContext.CodeChallengeMethod Property

Specifies the transformation method applied to the 'code_verifier' when generating the 'code_challenge', enhancing the security of PKCE by allowing the authorization server to verify the code exchange authenticity.

public string? CodeChallengeMethod { get; init; }

Property Value

System.String

AuthorizationContext.Nonce Property

A string value used to associate a client session with an ID Token, mitigating replay attacks by ensuring that an ID Token cannot be used in a different context than the one it was intended for.

public string? Nonce { get; init; }

Property Value

System.String

AuthorizationContext.ProofKeyThumbprint Property

RFC 7638 base64url-encoded JWK thumbprint of the DPoP proof-of-possession key bound to this authorization (RFC 9449 §6.1). When present, access tokens carry a cnf.jkt confirmation claim equal to this value, locking the token to the specific key the client demonstrated control of at the token endpoint.

public string? ProofKeyThumbprint { get; init; }

Property Value

System.String

AuthorizationContext.RedirectUri Property

The URI where the authorization response should be sent. This URI must match one of the registered redirects URI for the client application, ensuring that authorization responses are delivered to the correct destination securely.

public System.Uri? RedirectUri { get; init; }

Property Value

System.Uri

AuthorizationContext.RequestedClaims Property

Optional. Specifies the individual Claims requested by the client, providing detailed instructions for the authorization server on the Claims to be returned, either in the ID Token or via the UserInfo endpoint.

public Abblix.Oidc.Server.Model.RequestedClaims? RequestedClaims { get; init; }

Property Value

RequestedClaims

AuthorizationContext.Resources Property

The resources for which the authorization is granted. These resources are typically URIs that identify specific services or data that the client is authorized to access.

public System.Uri[]? Resources { get; init; }

Property Value

System.Uri[]

AuthorizationContext.Scope Property

Defines the scope of access requested by the client. Scopes are used to specify the level of access or permissions that the client is requesting on the user's behalf. They play a key role in enforcing the principle of least privilege.

public string[] Scope { get; init; }

Property Value

System.String[]

AuthorizationContext.X509CertificateSha256Thumbprint Property

Legacy alias for CertificateSha256Thumbprint: forwards to the same backing storage so existing JSON blobs and downstream callers initialising this property still resolve correctly, while the deprecation warning steers new code to the canonical name. The X509 prefix was dropped on the canonical name to align with the cnf-member naming used by CertificateSha256Thumbprint.

public string? X509CertificateSha256Thumbprint { get; init; }

Property Value

System.String

Methods

AuthorizationContext.Deconstruct(string, string[], RequestedClaims) Method

Splits the authorization context into its constructor triple, enabling pattern-style destructuring at the call site.

public void Deconstruct(out string clientId, out string[] scope, out Abblix.Oidc.Server.Model.RequestedClaims? requestedClaims);

Parameters

clientId System.String

Receives the ClientId.

scope System.String[]

Receives the Scope array.

requestedClaims RequestedClaims

Receives the optional RequestedClaims.