AuthorizationContext Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Common
AuthorizationContext Class
Represents the context of an authorization process, encapsulating the key parameters required for processing authorization requests.
public record AuthorizationContext : System.IEquatable<Abblix.Oidc.Server.Common.AuthorizationContext>
Inheritance System.Object → AuthorizationContext
Implements System.IEquatable<AuthorizationContext>
Remarks
This record is pivotal for tracking the state of an authorization request throughout its lifecycle. It encapsulates details that are critical for the secure issuance of authorization codes and tokens, while ensuring compliance with OAuth 2.0 and OpenID Connect protocols. The context facilitates not just the validation of requests at the token endpoint, but also supports secure interactions by incorporating mechanisms like PKCE and nonce values to mitigate common attack vectors such as code injection and replay attacks. Furthermore, it carries information about requested scopes and claims, enabling fine-grained access control and personalized identity assertion in accordance with the client's needs and the authorization server's policies.
Constructors
AuthorizationContext(string, ScopeDefinition[], ResourceDefinition[], RequestedClaims) Constructor
Initializes a new instance of the AuthorizationContext class with a client ID, a collection of scopes, and optional requested claims.
public AuthorizationContext(string clientId, Abblix.Oidc.Server.Common.Constants.ScopeDefinition[] scopes, Abblix.Oidc.Server.Common.Constants.ResourceDefinition[] resources, Abblix.Oidc.Server.Model.RequestedClaims? requestedClaims);
Parameters
clientId System.String
The unique identifier of the client making the authorization request.
scopes ScopeDefinition[]
An array of scope definitions requested by the client.
resources ResourceDefinition[]
An array of resource definitions associated with the authorization request.
requestedClaims RequestedClaims
Optional claims requested by the client for the authorization process.
AuthorizationContext(string, string[], RequestedClaims, Uri[]) Constructor
Initializes a new instance of the AuthorizationContext class.
public AuthorizationContext(string clientId, string[] scope, Abblix.Oidc.Server.Model.RequestedClaims? requestedClaims, System.Uri[]? resources=null);
Parameters
clientId System.String
The unique identifier of the client making the authorization request.
scope System.String[]
An array of scope values requested by the client, representing the access permissions being sought.
requestedClaims RequestedClaims
Optional claims that the client is requesting as part of the authorization process, providing additional information about the user's identity.
resources System.Uri[]
Optional RFC 8707 resource indicators (absolute URIs) the issued token is bound to. This is
the single construction point every path funnels the resource set through: the direct grants
(client_credentials, password, jwt-bearer, token-exchange), the authorize/CIBA/device path
(via the ScopeDefinition/ResourceDefinition overload below), and
the JWT round-trip. An empty set is canonicalized to null (no audience restriction).
Properties
AuthorizationContext.Actor Property
RFC 8693 §4.1 act claim: the actor party (in delegation flows) the issued token
represents. Stored as a raw System.Text.Json.Nodes.JsonObject so nested delegation chains are
preserved byte-exact through storage. null for impersonation flows and for
non-Token-Exchange grants.
public System.Text.Json.Nodes.JsonObject? Actor { get; init; }
Property Value
System.Text.Json.Nodes.JsonObject
AuthorizationContext.Audiences Property
RFC 8693 §2.1 audience request parameter passed through to the issued token. Logical
names of the relying party for which the requested token is intended. Distinct from
Resources (RFC 8707 absolute URIs); audience values are opaque strings. JWT
emission folds both Resources and Audiences into the aud claim.
public string[]? Audiences { get; init; }
Property Value
AuthorizationContext.AuthorizationDetails Property
The RFC 9396 Rich Authorization Requests array stored as a raw System.Text.Json.Nodes.JsonArray. This is the source of truth — preserved byte-exact (member order, type-specific payload) through the authorize → code → token round-trip and protobuf persistence, without lossy typed deserialise / re-serialise cycles.
public System.Text.Json.Nodes.JsonArray? AuthorizationDetails { get; init; }
Property Value
System.Text.Json.Nodes.JsonArray
AuthorizationContext.CertificateSha256Thumbprint Property
Base64url-encoded SHA-256 thumbprint of the client X.509 certificate used at the token endpoint
for mutual TLS client authentication. When present, access tokens carry a confirmation
claim (cnf) containing x5t#S256 equal to this value (RFC 8705 §3.1).
public string? CertificateSha256Thumbprint { get; init; }
Property Value
AuthorizationContext.ClientId Property
The unique identifier for the client making the authorization request, as registered in the authorization server. This identifier is crucial for linking the authorization request and the issued tokens to a specific client application.
public string ClientId { get; init; }
Property Value
AuthorizationContext.CodeChallenge Property
The high-entropy cryptographic string provided by the client, used in the PKCE (Proof Key for Code Exchange) extension to secure the exchange of the authorization code for a token, especially in public clients and mobile applications.
public string? CodeChallenge { get; init; }
Property Value
AuthorizationContext.CodeChallengeMethod Property
Specifies the transformation method applied to the 'code_verifier' when generating the 'code_challenge', enhancing the security of PKCE by allowing the authorization server to verify the code exchange authenticity.
public string? CodeChallengeMethod { get; init; }
Property Value
AuthorizationContext.Nonce Property
A string value used to associate a client session with an ID Token, mitigating replay attacks by ensuring that an ID Token cannot be used in a different context than the one it was intended for.
public string? Nonce { get; init; }
Property Value
AuthorizationContext.ProofKeyThumbprint Property
RFC 7638 base64url-encoded JWK thumbprint of the DPoP proof-of-possession key
bound to this authorization (RFC 9449 §6.1). When present, access tokens carry a
cnf.jkt confirmation claim equal to this value, locking the token to the
specific key the client demonstrated control of at the token endpoint.
public string? ProofKeyThumbprint { get; init; }
Property Value
AuthorizationContext.RedirectUri Property
The URI where the authorization response should be sent. This URI must match one of the registered redirects URI for the client application, ensuring that authorization responses are delivered to the correct destination securely.
public System.Uri? RedirectUri { get; init; }
Property Value
AuthorizationContext.RequestedClaims Property
Optional. Specifies the individual Claims requested by the client, providing detailed instructions for the authorization server on the Claims to be returned, either in the ID Token or via the UserInfo endpoint.
public Abblix.Oidc.Server.Model.RequestedClaims? RequestedClaims { get; init; }
Property Value
AuthorizationContext.Resources Property
The resources for which the authorization is granted. These resources are typically URIs that identify specific services or data that the client is authorized to access.
public System.Uri[]? Resources { get; init; }
Property Value
AuthorizationContext.Scope Property
Defines the scope of access requested by the client. Scopes are used to specify the level of access or permissions that the client is requesting on the user's behalf. They play a key role in enforcing the principle of least privilege.
public string[] Scope { get; init; }
Property Value
AuthorizationContext.X509CertificateSha256Thumbprint Property
Legacy alias for CertificateSha256Thumbprint: forwards to the same backing storage so existing JSON blobs and downstream callers initialising this property still resolve correctly, while the deprecation warning steers new code to the canonical name. The X509 prefix was dropped on the canonical name to align with the cnf-member naming used by CertificateSha256Thumbprint.
public string? X509CertificateSha256Thumbprint { get; init; }
Property Value
Methods
AuthorizationContext.Deconstruct(string, string[], RequestedClaims) Method
Splits the authorization context into its constructor triple, enabling pattern-style destructuring at the call site.
public void Deconstruct(out string clientId, out string[] scope, out Abblix.Oidc.Server.Model.RequestedClaims? requestedClaims);
Parameters
clientId System.String
Receives the ClientId.
scope System.String[]
Receives the Scope array.
requestedClaims RequestedClaims
Receives the optional RequestedClaims.