Skip to main content

OidcOptions Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Common.Configuration

OidcOptions Class

The root of the OIDC configuration. Provides the simplest way to configure and start your OIDC server.

public record OidcOptions : System.IEquatable<Abblix.Oidc.Server.Common.Configuration.OidcOptions>

Inheritance System.Object → OidcOptions

Implements System.IEquatable<OidcOptions>

Properties

OidcOptions.AccountSelectionUri Property

The URL to a user interface or service that allows users to select an account during the authentication process. This is useful in scenarios where users have multiple accounts and need to choose which one to use for signing in.

public System.Uri? AccountSelectionUri { get; set; }

Property Value

System.Uri

OidcOptions.AuthorizationCodeLength Property

The standard length of the authorization code generated by the server.

public int AuthorizationCodeLength { get; set; }

Property Value

System.Int32

OidcOptions.BackChannelAuthentication Property

Configuration options for the backchannel authentication flow, used in scenarios such as Client-Initiated Backchannel Authentication (CIBA).

public Abblix.Oidc.Server.Common.Configuration.BackChannelAuthenticationOptions BackChannelAuthentication { get; set; }

Property Value

BackChannelAuthenticationOptions

OidcOptions.CheckSessionCookie Property

Options related to the check session mechanism in OIDC. This configuration controls how the OIDC server manages session state information, allowing clients to monitor the login session's status. Properly configuring these options ensures that clients can react to session changes (e.g., logout) in a timely and secure manner.

public Abblix.Oidc.Server.Common.Configuration.CheckSessionCookieOptions CheckSessionCookie { get; set; }

Property Value

CheckSessionCookieOptions

OidcOptions.Clients Property

A collection of client configurations supported by this OIDC server. Each ClientInfo object defines the settings and capabilities of a registered client, including client ID, client secrets, redirect URIs, and other OAuth2/OIDC parameters. Proper client configuration is essential for securing client applications and enabling them to interact with the OIDC server according to the OAuth2 and OIDC specifications.

public System.Collections.Generic.IEnumerable<Abblix.Oidc.Server.Features.ClientInformation.ClientInfo> Clients { get; set; }

Property Value

System.Collections.Generic.IEnumerable<ClientInfo>

OidcOptions.ConsentUri Property

The URL to a user interface or service for obtaining user consent during the authentication process. Consent is often required when the client application requests access to user data or when sharing information between different parties. This URI should point to a page or API that can manage consent workflows and communicate the user's decisions back to the OIDC server.

public System.Uri? ConsentUri { get; set; }

Property Value

System.Uri

OidcOptions.DefaultContentEncryptionAlgorithm Property

The default content encryption algorithm used for encrypting JWT tokens. Per RFC 7518 Section 5, specifies how the JWT payload is encrypted using the Content Encryption Key (CEK). Common values: A256CBC-HS512, A128CBC-HS256, A256GCM, A128GCM. Defaults to A256CBC-HS512 for maximum security.

public string DefaultContentEncryptionAlgorithm { get; set; }

Property Value

System.String

OidcOptions.DefaultSecurityProfile Property

The server-wide default security profile, applied to every client whose own SecurityProfile is left unset (null). A single-profile deployment sets this once — for example to Fapi2 — and every client without an explicit profile inherits the FAPI 2.0 control bundle; an individual client opts out by setting its own profile to None. The default None leaves unprofiled clients governed by their individual metadata flags, so existing deployments are unaffected.

public Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile DefaultSecurityProfile { get; set; }

Property Value

ClientSecurityProfile

OidcOptions.DeviceAuthorization Property

Configuration options for the Device Authorization Grant (RFC 8628), used for devices with limited input capabilities.

public Abblix.Oidc.Server.Common.Configuration.DeviceAuthorizationOptions? DeviceAuthorization { get; set; }

Property Value

DeviceAuthorizationOptions

OidcOptions.Discovery Property

Configuration options for OIDC discovery. These options control how the OIDC server advertises its capabilities and endpoints to clients through the OIDC Discovery mechanism. Proper configuration ensures that clients can dynamically discover information about the OIDC server, such as URLs for authorization, token, userinfo, and JWKS endpoints, supported scopes, response types, and more.

public Abblix.Oidc.Server.Common.Configuration.DiscoveryOptions Discovery { get; set; }

Property Value

DiscoveryOptions

OidcOptions.DPoP Property

Configuration options for OAuth 2.0 DPoP (RFC 9449), governing the Abblix.Oidc.Server.Features.DPoP.ProofValidator behaviour and related primitives.

public Abblix.Oidc.Server.Common.Configuration.DPoPOptions DPoP { get; set; }

Property Value

DPoPOptions

OidcOptions.EnabledEndpoints Property

Specifies which OIDC endpoints are enabled on the server. This property allows for fine-grained control over the available functionality, enabling or disabling specific endpoints based on the server's role, security considerations, or operational requirements. Defaults to Base — the core interactive OIDC set plus PAR and RP-initiated logout. The six niche or security-sensitive endpoints (CheckSession, Revocation, Introspection, dynamic client registration, CIBA and device authorization) are off by default and each turned on by its dedicated AddX() opt-in, which registers the feature and re-enables the corresponding flag. Leaving them off keeps a server that never opts in from advertising — or validating — an endpoint it was never asked to serve. Setting this to All only re-advertises and routes every endpoint — the handler for each opt-in endpoint (CheckSession, Revocation, Introspection, dynamic client registration, CIBA, device authorization) is still registered solely by its AddX() call, so All restores the previous every-endpoint-on behaviour only when combined with all of those opt-in calls. Setting All without them advertises and routes endpoints whose handlers are absent, so every request to such an endpoint fails at runtime.

public Abblix.Oidc.Server.Common.Configuration.OidcEndpoints EnabledEndpoints { get; set; }

Property Value

OidcEndpoints

OidcOptions.EncryptionKeys Property

The collection of JSON Web Keys (JWK) used for encrypting tokens or sensitive information sent to the clients. Encryption is essential for protecting sensitive data within tokens, especially when tokens are passed through less secure channels or when storing tokens on the client side. These keys are used to encrypt ID tokens and, optionally, access tokens when the OIDC server sends them to clients. Clients use the corresponding public keys to decrypt the tokens and access the contained claims.

public System.Collections.Generic.IReadOnlyCollection<Abblix.Jwt.JsonWebKey> EncryptionKeys { get; set; }

Property Value

System.Collections.Generic.IReadOnlyCollection<JsonWebKey>

OidcOptions.GrantIdLength Property

Specifies the length, in random bytes, of the refresh-token grant identifier (the grant_id claim). The grant id binds every refresh token of one authorization grant into a single lineage for rotation and family revocation (RFC 9700 Section 4.14.2), so it must carry enough entropy to make the identifier unguessable.

public int GrantIdLength { get; set; }

Property Value

System.Int32

OidcOptions.IgnoreParametersOutsideRequestObject Property

Governs how a request object resolves a parameter that appears both inside the object and in the OAuth query syntax — a choice between two specifications. When false (the default), request-object processing follows the OpenID Connect Core §6.1 merge semantics: the object's values supersede those passed outside it, but a parameter passed only outside the object is still used. Set to true for the strict RFC 9101 §6.3 rule, where the authorization request is exactly the content of the object and any parameter passed outside it is ignored ("the authorization server MUST only use the parameters in the Request Object"). The strict rule suits FAPI-style OAuth deployments; as an OpenID Provider the server defaults to the merge behaviour, since strict processing would drop parameters that existing OpenID Connect clients commonly pass outside the object. A client held to the FAPI 2.0 security profile is processed strictly regardless of this global default. This switch affects only parameter exclusivity; the other RFC 9101 §6.3 requirement — that a client_id or response_type present both inside and outside the object be identical — is enforced in both modes and cannot be turned off.

public bool IgnoreParametersOutsideRequestObject { get; set; }

Property Value

System.Boolean

OidcOptions.InteractionUri Property

The URL to a user interface or service for handling additional interactions required during the authentication process. This can include multiple factor authentication, user consent, or any custom interaction required by the authentication flow. The OIDC server can redirect users to this URI when additional interaction is needed.

public System.Uri? InteractionUri { get; set; }

Property Value

System.Uri

OidcOptions.Issuer Property

Represents the unique identifier of the OIDC server. It is recommended to use a URL controlled by the entity operating the OIDC server, and it should be consistent across different environments to maintain trust with client applications.

public string? Issuer { get; set; }

Property Value

System.String

OidcOptions.JwtAuthorizationResponseExpiresIn Property

The lifetime of a JARM (JWT Secured Authorization Response Mode) response JWT. The authorization response is consumed by the client immediately upon redirect, so a short window suffices and mostly absorbs clock skew. JARM §2.1 RECOMMENDS a maximum of 10 minutes; deployments with stricter requirements (e.g. FAPI) may shorten it.

public System.TimeSpan JwtAuthorizationResponseExpiresIn { get; set; }

Property Value

System.TimeSpan

OidcOptions.JwtBearer Property

Configuration options for JWT Bearer grant type (RFC 7523). Defines trusted external identity providers whose JWT assertions can be exchanged for access tokens.

public Abblix.Oidc.Server.Common.Configuration.JwtBearerOptions JwtBearer { get; set; }

Property Value

JwtBearerOptions

OidcOptions.LicenseJwt Property

A JWT used for licensing and configuration validation of the OIDC service. This token contains claims that the OIDC service uses to validate its configuration, features, and licensing status, ensuring the service operates within its licensed capabilities. Proper validation of this token is crucial for the service's legal and functional compliance.

public string? LicenseJwt { get; set; }

Property Value

System.String

OidcOptions.LoginSessionExpiresIn Property

The duration after which a login session expires. This setting determines how long a user's authentication session remains valid before requiring re-authentication. Configuring this duration is essential for balancing security concerns with usability, particularly in environments with varying security requirements.

public System.TimeSpan LoginSessionExpiresIn { get; set; }

Property Value

System.TimeSpan

OidcOptions.LoginUri Property

The URL to initiate the login process. This URI is typically used in scenarios where the OIDC server needs to direct users to a specific login interface or when integrating with external identity providers. Configuring this URI allows the OIDC server to delegate the initial user authentication step to another service or UI.

public System.Uri? LoginUri { get; set; }

Property Value

System.Uri

OidcOptions.NewClientOptions Property

Configuration options for registering new clients dynamically in the OIDC server. These options define default values and constraints for new client registrations, facilitating dynamic and secure client onboarding processes.

public Abblix.Oidc.Server.Common.Configuration.NewClientOptions NewClientOptions { get; init; }

Property Value

NewClientOptions

OidcOptions.PkceAndNonceReuseDetectionInterval Property

Enables detection of a client reusing a constant PKCE code_challenge or OpenID Connect nonce across authorization requests, which defeats the transaction-binding those values provide (RFC 9700 Section 2.1.1 encourages the authorization server to make a reasonable effort to detect and prevent it). When set, the server records each value at the moment it issues an authorization code and rejects a later authorization request from the same client that repeats a value within this interval. Recording at code issuance — not on every authorization request — means re-processing one request across a login or consent redirect is not flagged. Left null (the default) the check is off: a conforming client generates a fresh value per request and is never affected, but a client that incorrectly reuses a value across separate authorizations would then be rejected, so it is opt-in.

public System.Nullable<System.TimeSpan> PkceAndNonceReuseDetectionInterval { get; set; }

Property Value

System.Nullable<System.TimeSpan>

OidcOptions.PushedAuthorizationRequestExpiresIn Property

The duration for which a Pushed Authorization Request (PAR) is valid. PAR is a security enhancement that allows clients to pre-register authorization requests directly with the authorization server. This duration specifies the maximum time a pre-registered request is considered valid, balancing the need for security with usability in completing the authorization process.

public System.TimeSpan PushedAuthorizationRequestExpiresIn { get; set; }

Property Value

System.TimeSpan

OidcOptions.RegistrationUri Property

The URL of the account-creation (registration) UI the user is redirected to when a client requests user registration via prompt=create (Initiating User Registration via OpenID Connect 1.0). When not set, LoginUri is used instead, so hosts whose login page also offers registration need no extra configuration.

public System.Uri? RegistrationUri { get; set; }

Property Value

System.Uri

OidcOptions.RequestUriLength Property

The standard length of the request URI generated by the server for Pushed Authorization Requests (PAR).

public int RequestUriLength { get; set; }

Property Value

System.Int32

OidcOptions.RequestUriParameterName Property

The name of the parameter used by the OIDC server to pass the authorization request identifier. This parameter name is used in URLs and requests to reference specific authorization requests, especially in advanced features like Pushed Authorization Requests (PAR). Customizing this parameter name can help align with specific client requirements or naming conventions.

public string RequestUriParameterName { get; set; }

Property Value

System.String

OidcOptions.RequireInitialAccessToken Property

Determines whether the client registration endpoint requires an initial access token in the Authorization header per RFC 7591 Section 3. When true, POST requests to the registration endpoint must include a valid Bearer token. When false, open registration is allowed.

public bool RequireInitialAccessToken { get; set; }

Property Value

System.Boolean

OidcOptions.RequirePushedAuthorizationRequests Property

Determines whether the OIDC server requires Pushed Authorization Requests (PAR).

public bool RequirePushedAuthorizationRequests { get; set; }

Property Value

System.Boolean

OidcOptions.RequireSignedRequestObject Property

Determines whether request objects must be signed by the client, enhancing security for certain sensitive operations.

public bool RequireSignedRequestObject { get; set; }

Property Value

System.Boolean

OidcOptions.Resources Property

The resource definitions supported by the OIDC server. This setting outlines the resources that clients can request access to during authorization, ensuring the OIDC server can enforce access control policies and permissions based on these definitions.

public Abblix.Oidc.Server.Common.Constants.ResourceDefinition[]? Resources { get; set; }

Property Value

ResourceDefinition[]

OidcOptions.RevokedInitialAccessTokenSubjects Property

The set of revoked initial access token identifiers (JWT subject claims). Tokens whose subject appears in this set will be rejected during client registration. For production use with large or dynamic revocation lists, replace IInitialAccessTokenRevocationProvider with a database- or cache-backed implementation.

public System.Collections.Generic.HashSet<string> RevokedInitialAccessTokenSubjects { get; set; }

Property Value

System.Collections.Generic.HashSet<System.String>

OidcOptions.Scopes Property

The supported scopes and their respective claim types, which outline the access permissions and associated data that clients can request. This setting determines what information and operations are available to different clients based on the scopes they request during authorization.

public Abblix.Oidc.Server.Common.Constants.ScopeDefinition[]? Scopes { get; set; }

Property Value

ScopeDefinition[]

OidcOptions.SessionIdLength Property

Specifies the length of session identifiers used by the OIDC server. The length determines the uniqueness and security of the session identifiers.

public int SessionIdLength { get; set; }

Property Value

System.Int32

OidcOptions.SigningKeys Property

The collection of JSON Web Keys (JWK) used for signing tokens issued by the OIDC server. Signing tokens is a critical security measure that ensures the integrity and authenticity of the tokens. These keys are used to digitally sign ID tokens, access tokens, and other JWT tokens issued by the server, allowing clients to verify that the tokens have not been tampered with and were indeed issued by this server. It is recommended to rotate these keys periodically to maintain the security of the token signing process.

public System.Collections.Generic.IReadOnlyCollection<Abblix.Jwt.JsonWebKey> SigningKeys { get; set; }

Property Value

System.Collections.Generic.IReadOnlyCollection<JsonWebKey>

OidcOptions.SoftwareStatement Property

Configuration options for software statement validation per RFC 7591 Section 2.3.

public Abblix.Oidc.Server.Common.Configuration.SoftwareStatementOptions SoftwareStatement { get; set; }

Property Value

SoftwareStatementOptions

OidcOptions.TokenIdLength Property

Specifies the length of token identifiers used by the OIDC server. This value determines the length of the unique ID assigned to tokens.

public int TokenIdLength { get; set; }

Property Value

System.Int32