Skip to main content

IConsentConstraintEnforcer Interface

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Authorization

IConsentConstraintEnforcer Interface

Defense-in-depth backstop that asserts the anti-escalation invariant on the consent decision: the set granted by IUserConsentsProvider MUST be a subset of what the authorization request carried. This mirrors the strictly narrowing-only ITokenAuthorizationContextEvaluator at the token endpoint (RFC 8707 §2.2), giving the authorize-time consent path the same guarantee.

public interface IConsentConstraintEnforcer

Derived
ConsentConstraintEnforcer

Remarks

Violating granted ⊆ requested is never a protocol-level condition: the consent decision frequently originates across the browser trust boundary, and a host whose IUserConsentsProvider echoes browser-supplied scopes / resources / authorization_details without intersecting against the request would let a user escalate their own grant. The provider returning anything outside the request is a defect in the host's code (or browser tampering its provider failed to defend against), so the enforcer fails loud with an exception rather than masking it as a recoverable OAuth error — it surfaces in the debugger, fails the host's tests, and is logged as a server error in production while no escalated grant is issued.

Methods

IConsentConstraintEnforcer.EnforceAsync(ValidAuthorizationRequest, ConsentDefinition, CancellationToken) Method

Asserts that the granted consent does not exceed the request. The granted set is left unchanged on success.

System.Threading.Tasks.Task EnforceAsync(Abblix.Oidc.Server.Endpoints.Authorization.Interfaces.ValidAuthorizationRequest request, Abblix.Oidc.Server.Features.Consents.ConsentDefinition granted, System.Threading.CancellationToken cancellationToken);

Parameters

request ValidAuthorizationRequest

The validated authorization request carrying the requested scopes, resources and authorization_details.

granted ConsentDefinition

The consent decision produced by IUserConsentsProvider.

cancellationToken System.Threading.CancellationToken

Cancellation token.

Returns

System.Threading.Tasks.Task

Exceptions

System.InvalidOperationException
Thrown when the granted set contains a scope, resource, resource scope or authorization_details entry absent from — or broader than — the request.