Skip to main content

Abblix.Oidc.Server.Endpoints.Authorization Namespace

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Authorization Namespace

Classes
AuthorizationCodeBuilderBuilds the code response-type component of an authorization endpoint success response — the Authorization Code Flow contributor. Generates an authorization code via IAuthorizationCodeService and stores it on the running SuccessfullyAuthenticated result. Registered by default through AddAuthorizationEndpoint(); covers the OAuth 2.1 (draft) recommended flow. Declares authorization_code in GrantTypesSupported so the discovery endpoint and registration-time gates aggregate it transparently.
AuthorizationEndpointMetadataFactoryBuilds the AuthorizationEndpointMetadata advertised in discovery from the registered set of IAuthorizationResponseBuilder: each builder declares the response-type it owns, and the supported response-type combinations are the canonical OAuth/OIDC combos fully covered by the registered builders. Kept off the request-handling path so the discovery endpoint does not resolve the authorization handler (and its request-time dependencies, such as the JARM response encoder) merely to read this metadata.
AuthorizationHandlerHandles authorization requests by fetching, validating, processing and encoding the response.
AuthorizationRequestProcessorProcesses authorization requests by coordinating with various services like authentication, consent, and token issuance. This class handles the logic of determining the appropriate response to an authorization request based on the request's parameters and the current state of the user's session.
AuthorizationRequestValidatorImplements the Chain of Responsibility design pattern for processing authorization requests. This class delegates the validation of authorization requests to an IAuthorizationContextValidator, allowing a sequence of validators to handle the request in a decoupled manner. Each validator in the chain processes the request and potentially passes it along to the next validator.
AuthorizationResponseEncoderDefault IAuthorizationResponseEncoder. Applies the iss (RFC 9207) and implicit/hybrid scope gating, and — for a JARM (*.jwt) response mode — packs the response parameters into a signed/encrypted response JWT and resolves the delivery mode. Mutates the response in place; the transport layer only maps the encoded response onto the wire.
ConsentConstraintEnforcerDefault IConsentConstraintEnforcer. Asserts granted ⊆ requested for scopes, resources (including their nested scopes) and RFC 9396 authorization_details, throwing when the consent provider returned anything outside the request.
Interfaces
IConsentConstraintEnforcerDefense-in-depth backstop that asserts the anti-escalation invariant on the consent decision: the set granted by IUserConsentsProvider MUST be a subset of what the authorization request carried. This mirrors the strictly narrowing-only ITokenAuthorizationContextEvaluator at the token endpoint (RFC 8707 §2.2), giving the authorize-time consent path the same guarantee.