OidcOptions Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Common.Configuration
OidcOptions Class
The root of the OIDC configuration. Provides the simplest way to configure and start your OIDC server.
public record OidcOptions : System.IEquatable<Abblix.Oidc.Server.Common.Configuration.OidcOptions>
Inheritance System.Object → OidcOptions
Implements System.IEquatable<OidcOptions>
Properties
OidcOptions.AccountSelectionUri Property
The URL to a user interface or service that allows users to select an account during the authentication process. This is useful in scenarios where users have multiple accounts and need to choose which one to use for signing in.
public System.Uri? AccountSelectionUri { get; set; }
Property Value
OidcOptions.AuthorizationCodeLength Property
The standard length of the authorization code generated by the server.
public int AuthorizationCodeLength { get; set; }
Property Value
OidcOptions.BackChannelAuthentication Property
Configuration options for the backchannel authentication flow, used in scenarios such as Client-Initiated Backchannel Authentication (CIBA).
public Abblix.Oidc.Server.Common.Configuration.BackChannelAuthenticationOptions BackChannelAuthentication { get; set; }
Property Value
BackChannelAuthenticationOptions
OidcOptions.CheckSessionCookie Property
Options related to the check session mechanism in OIDC. This configuration controls how the OIDC server manages session state information, allowing clients to monitor the login session's status. Properly configuring these options ensures that clients can react to session changes (e.g., logout) in a timely and secure manner.
public Abblix.Oidc.Server.Common.Configuration.CheckSessionCookieOptions CheckSessionCookie { get; set; }
Property Value
OidcOptions.Clients Property
A collection of client configurations supported by this OIDC server. Each ClientInfo object defines the settings and capabilities of a registered client, including client ID, client secrets, redirect URIs, and other OAuth2/OIDC parameters. Proper client configuration is essential for securing client applications and enabling them to interact with the OIDC server according to the OAuth2 and OIDC specifications.
public System.Collections.Generic.IEnumerable<Abblix.Oidc.Server.Features.ClientInformation.ClientInfo> Clients { get; set; }
Property Value
System.Collections.Generic.IEnumerable<ClientInfo>
OidcOptions.ConsentUri Property
The URL to a user interface or service for obtaining user consent during the authentication process. Consent is often required when the client application requests access to user data or when sharing information between different parties. This URI should point to a page or API that can manage consent workflows and communicate the user's decisions back to the OIDC server.
public System.Uri? ConsentUri { get; set; }
Property Value
OidcOptions.DefaultContentEncryptionAlgorithm Property
The default content encryption algorithm used for encrypting JWT tokens. Per RFC 7518 Section 5, specifies how the JWT payload is encrypted using the Content Encryption Key (CEK). Common values: A256CBC-HS512, A128CBC-HS256, A256GCM, A128GCM. Defaults to A256CBC-HS512 for maximum security.
public string DefaultContentEncryptionAlgorithm { get; set; }
Property Value
OidcOptions.DefaultSecurityProfile Property
The server-wide default security profile, applied to every client whose own
SecurityProfile is left unset (null). A single-profile
deployment sets this once — for example to Fapi2 — and
every client without an explicit profile inherits the FAPI 2.0 control bundle; an individual
client opts out by setting its own profile to None. The
default None leaves unprofiled clients governed by their
individual metadata flags, so existing deployments are unaffected.
public Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile DefaultSecurityProfile { get; set; }
Property Value
OidcOptions.DeviceAuthorization Property
Configuration options for the Device Authorization Grant (RFC 8628), used for devices with limited input capabilities.
public Abblix.Oidc.Server.Common.Configuration.DeviceAuthorizationOptions? DeviceAuthorization { get; set; }
Property Value
OidcOptions.Discovery Property
Configuration options for OIDC discovery. These options control how the OIDC server advertises its capabilities and endpoints to clients through the OIDC Discovery mechanism. Proper configuration ensures that clients can dynamically discover information about the OIDC server, such as URLs for authorization, token, userinfo, and JWKS endpoints, supported scopes, response types, and more.
public Abblix.Oidc.Server.Common.Configuration.DiscoveryOptions Discovery { get; set; }
Property Value
OidcOptions.DPoP Property
Configuration options for OAuth 2.0 DPoP (RFC 9449), governing the Abblix.Oidc.Server.Features.DPoP.ProofValidator behaviour and related primitives.
public Abblix.Oidc.Server.Common.Configuration.DPoPOptions DPoP { get; set; }
Property Value
OidcOptions.EnabledEndpoints Property
Specifies which OIDC endpoints are enabled on the server. This property allows for fine-grained control over
the available functionality, enabling or disabling specific endpoints based on the server's role, security
considerations, or operational requirements. Defaults to Base — the core
interactive OIDC set plus PAR and RP-initiated logout. The six niche or security-sensitive endpoints
(CheckSession, Revocation, Introspection, dynamic client registration, CIBA and device authorization) are
off by default and each turned on by its dedicated AddX() opt-in, which registers the feature and
re-enables the corresponding flag. Leaving them off keeps a server that never opts in from advertising — or
validating — an endpoint it was never asked to serve. Setting this to All only
re-advertises and routes every endpoint — the handler for each opt-in endpoint (CheckSession, Revocation,
Introspection, dynamic client registration, CIBA, device authorization) is still registered solely by its
AddX() call, so All restores the previous every-endpoint-on behaviour only when combined with
all of those opt-in calls. Setting All without them advertises and routes endpoints whose handlers are
absent, so every request to such an endpoint fails at runtime.
public Abblix.Oidc.Server.Common.Configuration.OidcEndpoints EnabledEndpoints { get; set; }
Property Value
OidcOptions.EncryptionKeys Property
The collection of JSON Web Keys (JWK) used for encrypting tokens or sensitive information sent to the clients. Encryption is essential for protecting sensitive data within tokens, especially when tokens are passed through less secure channels or when storing tokens on the client side. These keys are used to encrypt ID tokens and, optionally, access tokens when the OIDC server sends them to clients. Clients use the corresponding public keys to decrypt the tokens and access the contained claims.
public System.Collections.Generic.IReadOnlyCollection<Abblix.Jwt.JsonWebKey> EncryptionKeys { get; set; }
Property Value
System.Collections.Generic.IReadOnlyCollection<JsonWebKey>
OidcOptions.GrantIdLength Property
Specifies the length, in random bytes, of the refresh-token grant identifier (the grant_id
claim). The grant id binds every refresh token of one authorization grant into a single lineage for
rotation and family revocation (RFC 9700 Section 4.14.2), so it must carry enough entropy to make the
identifier unguessable.
public int GrantIdLength { get; set; }
Property Value
OidcOptions.IgnoreParametersOutsideRequestObject Property
Governs how a request object resolves a parameter that appears both inside the object and in the
OAuth query syntax — a choice between two specifications. When false (the default), request-object
processing follows the OpenID Connect Core §6.1 merge semantics: the object's values supersede those
passed outside it, but a parameter passed only outside the object is still used. Set to true for
the strict RFC 9101 §6.3 rule, where the authorization request is exactly the content of the object and
any parameter passed outside it is ignored ("the authorization server MUST only use the parameters in
the Request Object"). The strict rule suits FAPI-style OAuth deployments; as an OpenID Provider the
server defaults to the merge behaviour, since strict processing would drop parameters that existing
OpenID Connect clients commonly pass outside the object. A client held to the FAPI 2.0 security profile
is processed strictly regardless of this global default.
This switch affects only parameter exclusivity; the other RFC 9101 §6.3 requirement — that a
client_id or response_type present both inside and outside the object be identical — is
enforced in both modes and cannot be turned off.
public bool IgnoreParametersOutsideRequestObject { get; set; }
Property Value
OidcOptions.InteractionUri Property
The URL to a user interface or service for handling additional interactions required during the authentication process. This can include multiple factor authentication, user consent, or any custom interaction required by the authentication flow. The OIDC server can redirect users to this URI when additional interaction is needed.
public System.Uri? InteractionUri { get; set; }
Property Value
OidcOptions.Issuer Property
Represents the unique identifier of the OIDC server. It is recommended to use a URL controlled by the entity operating the OIDC server, and it should be consistent across different environments to maintain trust with client applications.
public string? Issuer { get; set; }
Property Value
OidcOptions.JwtAuthorizationResponseExpiresIn Property
The lifetime of a JARM (JWT Secured Authorization Response Mode) response JWT. The authorization
response is consumed by the client immediately upon redirect, so a short window suffices and mostly
absorbs clock skew. JARM §2.1 RECOMMENDS a maximum of 10 minutes; deployments with stricter requirements
(e.g. FAPI) may shorten it.
public System.TimeSpan JwtAuthorizationResponseExpiresIn { get; set; }
Property Value
OidcOptions.JwtBearer Property
Configuration options for JWT Bearer grant type (RFC 7523). Defines trusted external identity providers whose JWT assertions can be exchanged for access tokens.
public Abblix.Oidc.Server.Common.Configuration.JwtBearerOptions JwtBearer { get; set; }
Property Value
OidcOptions.LicenseJwt Property
A JWT used for licensing and configuration validation of the OIDC service. This token contains claims that the OIDC service uses to validate its configuration, features, and licensing status, ensuring the service operates within its licensed capabilities. Proper validation of this token is crucial for the service's legal and functional compliance.
public string? LicenseJwt { get; set; }
Property Value
OidcOptions.LoginSessionExpiresIn Property
The duration after which a login session expires. This setting determines how long a user's authentication session remains valid before requiring re-authentication. Configuring this duration is essential for balancing security concerns with usability, particularly in environments with varying security requirements.
public System.TimeSpan LoginSessionExpiresIn { get; set; }
Property Value
OidcOptions.LoginUri Property
The URL to initiate the login process. This URI is typically used in scenarios where the OIDC server needs to direct users to a specific login interface or when integrating with external identity providers. Configuring this URI allows the OIDC server to delegate the initial user authentication step to another service or UI.
public System.Uri? LoginUri { get; set; }
Property Value
OidcOptions.NewClientOptions Property
Configuration options for registering new clients dynamically in the OIDC server. These options define default values and constraints for new client registrations, facilitating dynamic and secure client onboarding processes.
public Abblix.Oidc.Server.Common.Configuration.NewClientOptions NewClientOptions { get; init; }
Property Value
OidcOptions.PkceAndNonceReuseDetectionInterval Property
Enables detection of a client reusing a constant PKCE code_challenge or OpenID Connect
nonce across authorization requests, which defeats the transaction-binding those values provide
(RFC 9700 Section 2.1.1 encourages the authorization server to make a reasonable effort to detect and
prevent it). When set, the server records each value at the moment it issues an authorization code and
rejects a later authorization request from the same client that repeats a value within this interval.
Recording at code issuance — not on every authorization request — means re-processing one request
across a login or consent redirect is not flagged. Left null (the default) the check is off:
a conforming client generates a fresh value per request and is never affected, but a client that
incorrectly reuses a value across separate authorizations would then be rejected, so it is opt-in.
public System.Nullable<System.TimeSpan> PkceAndNonceReuseDetectionInterval { get; set; }
Property Value
System.Nullable<System.TimeSpan>
OidcOptions.PushedAuthorizationRequestExpiresIn Property
The duration for which a Pushed Authorization Request (PAR) is valid. PAR is a security enhancement that allows clients to pre-register authorization requests directly with the authorization server. This duration specifies the maximum time a pre-registered request is considered valid, balancing the need for security with usability in completing the authorization process.
public System.TimeSpan PushedAuthorizationRequestExpiresIn { get; set; }
Property Value
OidcOptions.RegistrationUri Property
The URL of the account-creation (registration) UI the user is redirected to when a client requests
user registration via prompt=create (Initiating User Registration via OpenID Connect 1.0).
When not set, LoginUri is used instead, so hosts whose login page also offers
registration need no extra configuration.
public System.Uri? RegistrationUri { get; set; }
Property Value
OidcOptions.RequestUriLength Property
The standard length of the request URI generated by the server for Pushed Authorization Requests (PAR).
public int RequestUriLength { get; set; }
Property Value
OidcOptions.RequestUriParameterName Property
The name of the parameter used by the OIDC server to pass the authorization request identifier. This parameter name is used in URLs and requests to reference specific authorization requests, especially in advanced features like Pushed Authorization Requests (PAR). Customizing this parameter name can help align with specific client requirements or naming conventions.
public string RequestUriParameterName { get; set; }
Property Value
OidcOptions.RequireInitialAccessToken Property
Determines whether the client registration endpoint requires an initial access token
in the Authorization header per RFC 7591 Section 3.
When true, POST requests to the registration endpoint must include a valid
Bearer token. When false, open registration is allowed.
public bool RequireInitialAccessToken { get; set; }
Property Value
OidcOptions.RequirePushedAuthorizationRequests Property
Determines whether the OIDC server requires Pushed Authorization Requests (PAR).
public bool RequirePushedAuthorizationRequests { get; set; }
Property Value
OidcOptions.RequireSignedRequestObject Property
Determines whether request objects must be signed by the client, enhancing security for certain sensitive operations.
public bool RequireSignedRequestObject { get; set; }
Property Value
OidcOptions.Resources Property
The resource definitions supported by the OIDC server. This setting outlines the resources that clients can request access to during authorization, ensuring the OIDC server can enforce access control policies and permissions based on these definitions.
public Abblix.Oidc.Server.Common.Constants.ResourceDefinition[]? Resources { get; set; }
Property Value
OidcOptions.RevokedInitialAccessTokenSubjects Property
The set of revoked initial access token identifiers (JWT subject claims). Tokens whose subject appears in this set will be rejected during client registration. For production use with large or dynamic revocation lists, replace IInitialAccessTokenRevocationProvider with a database- or cache-backed implementation.
public System.Collections.Generic.HashSet<string> RevokedInitialAccessTokenSubjects { get; set; }
Property Value
System.Collections.Generic.HashSet<System.String>
OidcOptions.Scopes Property
The supported scopes and their respective claim types, which outline the access permissions and associated data that clients can request. This setting determines what information and operations are available to different clients based on the scopes they request during authorization.
public Abblix.Oidc.Server.Common.Constants.ScopeDefinition[]? Scopes { get; set; }
Property Value
OidcOptions.SessionIdLength Property
Specifies the length of session identifiers used by the OIDC server. The length determines the uniqueness and security of the session identifiers.
public int SessionIdLength { get; set; }
Property Value
OidcOptions.SigningKeys Property
The collection of JSON Web Keys (JWK) used for signing tokens issued by the OIDC server. Signing tokens is a critical security measure that ensures the integrity and authenticity of the tokens. These keys are used to digitally sign ID tokens, access tokens, and other JWT tokens issued by the server, allowing clients to verify that the tokens have not been tampered with and were indeed issued by this server. It is recommended to rotate these keys periodically to maintain the security of the token signing process.
public System.Collections.Generic.IReadOnlyCollection<Abblix.Jwt.JsonWebKey> SigningKeys { get; set; }
Property Value
System.Collections.Generic.IReadOnlyCollection<JsonWebKey>
OidcOptions.SoftwareStatement Property
Configuration options for software statement validation per RFC 7591 Section 2.3.
public Abblix.Oidc.Server.Common.Configuration.SoftwareStatementOptions SoftwareStatement { get; set; }
Property Value
OidcOptions.TokenIdLength Property
Specifies the length of token identifiers used by the OIDC server. This value determines the length of the unique ID assigned to tokens.
public int TokenIdLength { get; set; }