IConsentConstraintEnforcer Interface
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.Authorization
IConsentConstraintEnforcer Interface
Defense-in-depth backstop that asserts the anti-escalation invariant on the consent decision: the set granted by IUserConsentsProvider MUST be a subset of what the authorization request carried. This mirrors the strictly narrowing-only ITokenAuthorizationContextEvaluator at the token endpoint (RFC 8707 §2.2), giving the authorize-time consent path the same guarantee.
public interface IConsentConstraintEnforcer
Derived
↳ ConsentConstraintEnforcer
Remarks
Violating granted ⊆ requested is never a protocol-level condition: the consent decision
frequently originates across the browser trust boundary, and a host whose
IUserConsentsProvider echoes browser-supplied scopes / resources /
authorization_details without intersecting against the request would let a user escalate
their own grant. The provider returning anything outside the request is a defect in the host's
code (or browser tampering its provider failed to defend against), so the enforcer fails loud
with an exception rather than masking it as a recoverable OAuth error — it surfaces in the
debugger, fails the host's tests, and is logged as a server error in production while no
escalated grant is issued.
Methods
IConsentConstraintEnforcer.EnforceAsync(ValidAuthorizationRequest, ConsentDefinition, CancellationToken) Method
Asserts that the granted consent does not exceed the request. The granted set is left unchanged on success.
System.Threading.Tasks.Task EnforceAsync(Abblix.Oidc.Server.Endpoints.Authorization.Interfaces.ValidAuthorizationRequest request, Abblix.Oidc.Server.Features.Consents.ConsentDefinition granted, System.Threading.CancellationToken cancellationToken);
Parameters
request ValidAuthorizationRequest
The validated authorization request carrying the requested scopes,
resources and authorization_details.
granted ConsentDefinition
The consent decision produced by IUserConsentsProvider.
cancellationToken System.Threading.CancellationToken
Cancellation token.
Returns
Exceptions
System.InvalidOperationException
Thrown when the granted set contains a scope,
resource, resource scope or authorization_details entry absent from — or broader than —
the request.