Skip to main content

JwtBearerOptions Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Common.Configuration

JwtBearerOptions Class

Configuration options for JWT Bearer grant type (RFC 7523). Defines trusted external identity providers whose JWT assertions can be exchanged for access tokens.

public record JwtBearerOptions : System.IEquatable<Abblix.Oidc.Server.Common.Configuration.JwtBearerOptions>

Inheritance System.Object → JwtBearerOptions

Implements System.IEquatable<JwtBearerOptions>

Properties

JwtBearerOptions.AllowedTokenTypes Property

Allowed values for the 'typ' (type) header in JWT assertions. When not empty, JWTs must have a typ header matching one of these values. Common values include "JWT" and "at+jwt". Default is empty (typ header validation disabled).

public string[] AllowedTokenTypes { get; set; }

Property Value

System.String[]

Remarks

While RFC 7523 does not mandate typ header validation, validating it prevents token confusion attacks in multi-token environments where different token types (access tokens, ID tokens, assertions) may coexist. Set to ["JWT"] or ["at+jwt"] based on your token ecosystem requirements.

JwtBearerOptions.ClockSkew Property

The clock skew tolerance for JWT validation. Allows for small differences in clock times between the JWT issuer and this server. Default is 5 minutes, as recommended by RFC 7523 Section 3.

public System.TimeSpan ClockSkew { get; set; }

Property Value

System.TimeSpan

JwtBearerOptions.JwksCacheDuration Property

The duration for which JWKS (JSON Web Key Sets) are cached before being refreshed. Reduces network calls and improves performance while ensuring keys are periodically updated. Default is 1 hour.

public System.TimeSpan JwksCacheDuration { get; set; }

Property Value

System.TimeSpan

JwtBearerOptions.MaxJwtAge Property

Maximum age of JWT assertions based on the 'iat' (issued at) claim. JWTs issued more than this duration in the past will be rejected. Set to null to disable this validation. Default is 10 minutes.

public System.Nullable<System.TimeSpan> MaxJwtAge { get; set; }

Property Value

System.Nullable<System.TimeSpan>

Remarks

Per RFC 7523 Section 3: "The authorization server MAY reject JWTs with an 'iat' claim value that is unreasonably far in the past." This provides defense-in-depth against replay attacks, especially useful when RequireJti is disabled or when the JTI cache has gaps.

JwtBearerOptions.MaxJwtSize Property

Maximum allowed size for JWT assertions in characters. Prevents denial-of-service attacks via excessively large JWTs. Default is 8192 (8KB).

public int MaxJwtSize { get; set; }

Property Value

System.Int32

JwtBearerOptions.RequireJti Property

Indicates whether the 'jti' (JWT ID) claim is required for replay protection. When enabled, JWTs without a jti claim will be rejected to prevent replay attacks. Default is true per RFC 7523 Section 5.2 security recommendation.

public bool RequireJti { get; set; }

Property Value

System.Boolean

JwtBearerOptions.StrictAudienceValidation Property

When true, the JWT audience claim must exactly match the token endpoint URL per RFC 7523 Section 3. When false, the application base URI is also accepted for compatibility with common implementations. Default is true for strict RFC 7523 compliance and security.

public bool StrictAudienceValidation { get; set; }

Property Value

System.Boolean

Remarks

Set to false only if you have legacy clients that use the application base URI as audience. Accepting the base URI widens the attack surface as JWTs intended for other endpoints on the same server could potentially be misused.

JwtBearerOptions.TrustedIssuers Property

Collection of trusted issuers configuration for JWT Bearer grant type. Each entry defines an external identity provider that is trusted to issue JWT assertions that can be exchanged for access tokens at this authorization server.

public System.Collections.Generic.IEnumerable<Abblix.Oidc.Server.Common.Configuration.TrustedIssuer> TrustedIssuers { get; set; }

Property Value

System.Collections.Generic.IEnumerable<TrustedIssuer>

Remarks

Use cases include: - Service-to-service authentication with pre-existing trust relationships - Token exchange between federated identity providers - Cross-domain single sign-on (SSO) scenarios - API-to-API communication with JWT from external identity provider