| BackChannelAuthenticationOptions | Provides configuration options for the backchannel authentication process. |
| BackChannelLogoutOptions | Back-channel logout settings for a single client, as defined by the OpenID Connect Back-Channel Logout 1.0 specification. The OP delivers a signed logout token directly (server-to-server) to the configured endpoint when an end-session occurs, bypassing the user agent. |
| CheckSessionCookieOptions | Defines options for the session check cookie used in monitoring changes in session status. |
| ClientIdOptions | Represents options for generating client IDs. |
| ClientJwksConfigurationExtensions | Configuration-time extensions that populate Jwks from raw configuration sections by binding into JsonWebKeySetSettings (a flat DTO that Microsoft.Extensions.Configuration can handle natively) and mapping to the polymorphic JsonWebKey hierarchy. |
| ClientSecretOptions | Configuration options for generating client secrets in OAuth2/OpenID Connect authentication. |
| DeviceAuthorizationOptions | Provides configuration options for the Device Authorization Grant (RFC 8628). |
| DiscoveryOptions | Defines discovery endpoint options. |
| DPoPNonceOptions | DPoP-specific extension of NonceOptions per RFC 9449 §8. Inherits the generic primitive's AcceptanceWindow and RotationInterval so DPoP can override them independently of any other nonce-service consumer, and adds the per-endpoint policy that says which OAuth endpoints reject DPoP proofs without a nonce claim (responding with use_dpop_nonce and a fresh DPoP-Nonce header). |
| DPoPOptions | Configuration options for OAuth 2.0 DPoP (RFC 9449), covering the proof validator's iat tolerance and DPoP-specific nonce policy. The nonce sub-section inherits from the generic NonceOptions so DPoP can configure stricter values independently of other nonce-service consumers without duplicating field definitions. |
| FrontChannelLogoutOptions | Front-channel logout settings for a single client, as defined by the OpenID Connect Front-Channel Logout 1.0 specification. Tells the authorization server which URL to load in a hidden iframe during end-session processing and whether the iframe URL must carry the user's session identifier. |
| JsonWebKeySetSettings | Flat configuration DTO for a JsonWebKeySet, mirroring RFC 7517 Section 5 (a JSON object with a single keys array). See JsonWebKeySettings for the per-key DTO and the design rationale. |
| JsonWebKeySettings | Flat configuration DTO for a single JSON Web Key, suitable for binding via Microsoft.Extensions.Configuration which cannot instantiate the abstract JsonWebKey base type directly. All cryptographic byte-array members are bound as base64url-encoded strings per RFC 7517; ToJsonWebKey() decodes them and maps the flat shape to the correct concrete subtype based on Kty. |
| JwtBearerOptions | Configuration options for JWT Bearer grant type (RFC 7523). Defines trusted external identity providers whose JWT assertions can be exchanged for access tokens. |
| MtlsAliasesOptions | Options for RFC 8705 mTLS endpoint aliases in discovery. Allows explicitly setting alias URIs. Use DiscoveryOptions.MtlsBaseUri to auto-compute aliases. |
| NewClientOptions | Defaults used by the dynamic client registration endpoint when minting credentials for a newly registered client: how its client identifier and client secret are generated and how long the secret stays valid. |
| OidcOptions | The root of the OIDC configuration. Provides the simplest way to configure and start your OIDC server. |
| SoftwareStatementOptions | Configuration options for software statement validation per RFC 7591 Section 2.3. Software statements are signed JWTs issued by a third-party authority asserting metadata values about the client software. |
| TrustedIssuer | Represents a trusted external identity provider for JWT Bearer grant type. |