Skip to main content

TrustedIssuer Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Common.Configuration

TrustedIssuer Class

Represents a trusted external identity provider for JWT Bearer grant type.

public record TrustedIssuer : System.IEquatable<Abblix.Oidc.Server.Common.Configuration.TrustedIssuer>

Inheritance System.Object → TrustedIssuer

Implements System.IEquatable<TrustedIssuer>

Properties

TrustedIssuer.AllowedAlgorithms Property

The list of allowed signing algorithms for JWT assertions from this issuer. If specified, JWTs signed with algorithms not in this list will be rejected. If null or empty, the default secure algorithms are used: RS256, RS384, RS512, ES256, ES384, ES512.

public string[]? AllowedAlgorithms { get; init; }

Property Value

System.String[]

Remarks

This provides defense against algorithm substitution attacks (e.g., CVE-2015-9235). The 'none' algorithm is never allowed regardless of this setting.

TrustedIssuer.AllowedScopes Property

The list of allowed scopes that can be requested when using JWT assertions from this issuer. If null, all scopes are allowed. If specified, only listed scopes will be granted.

public string[]? AllowedScopes { get; init; }

Property Value

System.String[]

TrustedIssuer.Description Property

Optional description of this trusted issuer for documentation and logging purposes.

public string? Description { get; init; }

Property Value

System.String

TrustedIssuer.Issuer Property

The issuer identifier (iss claim value) of the trusted identity provider. Must exactly match the 'iss' claim in JWT assertions from this provider.

public string Issuer { get; init; }

Property Value

System.String

Example

https://accounts.google.com

TrustedIssuer.JwksUri Property

The URL to the JSON Web Key Set (JWKS) endpoint for this issuer. Used to retrieve public keys for verifying JWT assertion signatures.

public System.Uri JwksUri { get; init; }

Property Value

System.Uri

Example

https://accounts.google.com/.well-known/jwks.json

Remarks

Typically this is the issuer's .well-known/jwks.json endpoint. The keys will be cached and refreshed according to standard JWKS caching policies.