Skip to main content

BackChannelAuthenticationOptions Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Common.Configuration

BackChannelAuthenticationOptions Class

Provides configuration options for the backchannel authentication process.

public record BackChannelAuthenticationOptions : System.IEquatable<Abblix.Oidc.Server.Common.Configuration.BackChannelAuthenticationOptions>

Inheritance System.Object → BackChannelAuthenticationOptions

Implements System.IEquatable<BackChannelAuthenticationOptions>

Fields

BackChannelAuthenticationOptions.MinimumRequestIdLength Field

Minimum length for authentication request identifiers as required by CIBA specification (128 bits = 16 bytes).

public const int MinimumRequestIdLength = 16;

Field Value

System.Int32

Properties

BackChannelAuthenticationOptions.DefaultExpiry Property

Specifies the default expiration time for backchannel authentication requests. This value defines how long the authentication request will remain valid if no specific expiration time is requested. It is set to 5 minutes by default.

public System.TimeSpan DefaultExpiry { get; set; }

Property Value

System.TimeSpan

BackChannelAuthenticationOptions.LongPollingTimeout Property

Specifies the maximum time a long-polling request will wait for authentication status changes. This timeout balances responsiveness (shorter timeout) vs server load (longer timeout). Default is 30 seconds.

public System.TimeSpan LongPollingTimeout { get; set; }

Property Value

System.TimeSpan

Remarks

When a client polls for tokens while authentication is pending and long-polling is enabled, the server holds the connection open for up to this duration. If authentication completes during this window, the response is returned immediately. Otherwise, authorization_pending is returned after the timeout.

BackChannelAuthenticationOptions.MaximumExpiry Property

Specifies the maximum allowed expiration time for backchannel authentication requests. This value restricts the maximum duration an authentication request can be valid for, even if a longer expiration is requested. It is set to 30 minutes by default.

public System.TimeSpan MaximumExpiry { get; set; }

Property Value

System.TimeSpan

BackChannelAuthenticationOptions.NotificationHttpClientHandlerLifetime Property

Specifies the lifetime for HTTP client handlers used in ping mode notifications. This controls how long HttpClient instances are pooled before being recreated.

public System.TimeSpan NotificationHttpClientHandlerLifetime { get; set; }

Property Value

System.TimeSpan

Remarks

Default is 5 minutes. Shorter lifetimes help with DNS changes and connection pool refresh, but may impact performance. Longer lifetimes reduce overhead but may cause stale connections.

BackChannelAuthenticationOptions.NotificationHttpClientTimeout Property

Bounds how long the server waits when POSTing a ping/push notification to a client's notification endpoint. Caps the time a slow or unresponsive client-controlled endpoint can tie up the authentication-completion path. Default is 30 seconds.

public System.TimeSpan NotificationHttpClientTimeout { get; set; }

Property Value

System.TimeSpan

BackChannelAuthenticationOptions.PollingInterval Property

Defines the polling interval used by clients to check the status of a backchannel authentication request. It is set to 5 seconds by default, ensuring that clients can frequently check for authentication updates without overwhelming the server.

public System.TimeSpan PollingInterval { get; set; }

Property Value

System.TimeSpan

BackChannelAuthenticationOptions.RequestIdLength Property

Specifies the length of authentication request identifiers used by the OIDC server. This value ensures that each backchannel authentication request is uniquely identified. Per CIBA specification, the auth_req_id MUST have a minimum entropy of 128 bits (16 bytes).

public int RequestIdLength { get; init; }

Property Value

System.Int32

Remarks

The minimum value is 16 bytes (128 bits) as required by OpenID Connect CIBA specification. Default is 64 bytes (512 bits) for enhanced security.

BackChannelAuthenticationOptions.UseLongPolling Property

Indicates whether long polling is used for backchannel authentication status updates. When set to true, clients may use long polling techniques to wait for authentication status changes, which reduces the need for frequent polling requests.

public bool UseLongPolling { get; set; }

Property Value

System.Boolean

BackChannelAuthenticationOptions.UserCodeParameterSupported Property

Indicates whether the server supports the user_code parameter in backchannel authentication requests. When enabled, clients may provide a user code that must be validated during authentication.

public bool UserCodeParameterSupported { get; set; }

Property Value

System.Boolean

Remarks

This is an optional CIBA feature. When enabled, the UserCodeValidator will enforce user code presence for clients configured to require it.