JwtBearerOptions Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Common.Configuration
JwtBearerOptions Class
Configuration options for JWT Bearer grant type (RFC 7523). Defines trusted external identity providers whose JWT assertions can be exchanged for access tokens.
public record JwtBearerOptions : System.IEquatable<Abblix.Oidc.Server.Common.Configuration.JwtBearerOptions>
Inheritance System.Object → JwtBearerOptions
Implements System.IEquatable<JwtBearerOptions>
Properties
JwtBearerOptions.AllowedTokenTypes Property
Allowed values for the 'typ' (type) header in JWT assertions. When not empty, JWTs must have a typ header matching one of these values. Common values include "JWT" and "at+jwt". Default is empty (typ header validation disabled).
public string[] AllowedTokenTypes { get; set; }
Property Value
Remarks
While RFC 7523 does not mandate typ header validation, validating it prevents token confusion attacks in multi-token environments where different token types (access tokens, ID tokens, assertions) may coexist. Set to ["JWT"] or ["at+jwt"] based on your token ecosystem requirements.
JwtBearerOptions.ClockSkew Property
The clock skew tolerance for JWT validation. Allows for small differences in clock times between the JWT issuer and this server. Default is 5 minutes, as recommended by RFC 7523 Section 3.
public System.TimeSpan ClockSkew { get; set; }
Property Value
JwtBearerOptions.JwksCacheDuration Property
The duration for which JWKS (JSON Web Key Sets) are cached before being refreshed. Reduces network calls and improves performance while ensuring keys are periodically updated. Default is 1 hour.
public System.TimeSpan JwksCacheDuration { get; set; }
Property Value
JwtBearerOptions.MaxJwtAge Property
Maximum age of JWT assertions based on the 'iat' (issued at) claim. JWTs issued more than this duration in the past will be rejected. Set to null to disable this validation. Default is 10 minutes.
public System.Nullable<System.TimeSpan> MaxJwtAge { get; set; }
Property Value
System.Nullable<System.TimeSpan>
Remarks
Per RFC 7523 Section 3: "The authorization server MAY reject JWTs with an 'iat' claim value that is unreasonably far in the past." This provides defense-in-depth against replay attacks, especially useful when RequireJti is disabled or when the JTI cache has gaps.
JwtBearerOptions.MaxJwtSize Property
Maximum allowed size for JWT assertions in characters. Prevents denial-of-service attacks via excessively large JWTs. Default is 8192 (8KB).
public int MaxJwtSize { get; set; }
Property Value
JwtBearerOptions.RequireJti Property
Indicates whether the 'jti' (JWT ID) claim is required for replay protection. When enabled, JWTs without a jti claim will be rejected to prevent replay attacks. Default is true per RFC 7523 Section 5.2 security recommendation.
public bool RequireJti { get; set; }
Property Value
JwtBearerOptions.StrictAudienceValidation Property
When true, the JWT audience claim must exactly match the token endpoint URL per RFC 7523 Section 3. When false, the application base URI is also accepted for compatibility with common implementations. Default is true for strict RFC 7523 compliance and security.
public bool StrictAudienceValidation { get; set; }
Property Value
Remarks
Set to false only if you have legacy clients that use the application base URI as audience. Accepting the base URI widens the attack surface as JWTs intended for other endpoints on the same server could potentially be misused.
JwtBearerOptions.TrustedIssuers Property
Collection of trusted issuers configuration for JWT Bearer grant type. Each entry defines an external identity provider that is trusted to issue JWT assertions that can be exchanged for access tokens at this authorization server.
public System.Collections.Generic.IEnumerable<Abblix.Oidc.Server.Common.Configuration.TrustedIssuer> TrustedIssuers { get; set; }
Property Value
System.Collections.Generic.IEnumerable<TrustedIssuer>
Remarks
Use cases include: - Service-to-service authentication with pre-existing trust relationships - Token exchange between federated identity providers - Cross-domain single sign-on (SSO) scenarios - API-to-API communication with JWT from external identity provider