Skip to main content

Abblix.Oidc.Server.Endpoints.Authorization.Validation Namespace

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Authorization.Validation Namespace

Classes
AuthorizationContextValidatorCompositeRepresents a composite validator for authorization contexts. This class implements IAuthorizationContextValidator and aggregates multiple validation steps into a single validation process.
AuthorizationDetailsRequestValidatorThin endpoint-side adapter that delegates the RFC 9396 authorization_details validation to ApplyAsync(JsonArray, ClientInfo, CancellationToken) and converts the returned error description to an AuthorizationRequestValidationError. All actual policy lives on the composite validator so /authorize, /par, CIBA and (future) device-flow endpoints share one source of truth.
AuthorizationValidationContextEncapsulates the context necessary for validating an authorization request, including client details, response modes, and the OAuth 2.0 flow type.
ClientValidatorValidates the client specified in the authorization request. This class checks whether the client is registered and authorized to perform the request, as part of the authorization validation process. It plays a crucial role in ensuring that only valid and authorized clients can initiate authorization requests.
ErrorFactoryProvides a factory for creating standardized authorization request error responses. This factory simplifies the creation of error responses for various types of validation failures during authorization request processing.
FlowTypeValidatorValidates the OAuth 2.0 flow type specified in the authorization request. This class determines if the requested flow type is supported and matches the expected patterns for authorization requests, as part of the validation process.
NonceValidatorImplements nonce validation for authorization requests in compliance with OAuth 2.0 and OpenID Connect specifications. This validator ensures the presence of a nonce parameter when the response type includes an ID token, as by OpenID Connect Core 1.0 specification. It extends SyncAuthorizationContextValidatorBase for synchronous validation. Refer to RFC 6749 and OpenID Connect Core 1.0 for more details on authorization request parameters.
PkceValidatorValidates the PKCE (Proof Key for Code Exchange) parameters in an authorization request. PKCE adds another layer of security for the OAuth 2.0 authorization code flow, particularly in public clients. It ensures that the authorization request conforms to the standards defined in RFC 7636 (specifically, see Section 4.3 for client validation requirements).
ProofKeyThumbprintValidatorSyntactic validator for the RFC 9449 §10 dpop_jkt authorization-request parameter: surfaces malformed thumbprints at the authorize / PAR endpoint with invalid_request instead of letting them slip through to /token where they would surface only as invalid_dpop_proof on the live-proof comparison — fail-fast at the binding-time endpoint.
RedirectUriValidatorValidates the redirect URI specified in the authorization request. This class checks whether the provided redirect URI matches one of the client's registered redirect URIs, as part of the authorization validation process. It is essential for ensuring that redirections only occur to pre-approved locations, enhancing security in the OAuth 2.0 flow.
ResourceValidatorValidates resources specified in authorization requests to ensure they conform to registered definitions and policies. This validator checks whether the resources requested in the authorization process are recognized by the system and permitted for the requesting client, extending the base functionality of resource validation by incorporating integration with the authorization context.
ResponseModeValidatorVerifies that an explicit response_mode is compatible with the OAuth 2.0 flow derived from response_type (OAuth 2.0 Multiple Response Types §2.1, OAuth 2.0 Form Post Response Mode). For the authorization-code flow any of query, fragment, form_post is allowed; flows that issue tokens at the authorization endpoint (implicit, hybrid) refuse query because credentials must not appear in the URL query string.
ScopeValidatorValidates the scopes specified in the OAuth 2.0 authorization request. This class checks if the requested scopes are permissible based on the client's configuration and the OAuth flow type in use. It ensures that only allowed scopes are requested, enhancing security and compliance with the defined authorization policies.
SignedRequestObjectRequirementValidatorEnforces the RFC 9101 §10.5 require_signed_request_object client metadata: a client that committed to it must deliver its authorization parameters as a signed request object. A request that came neither from a request object nor from a PAR-stored request is plain parameters and is rejected. The PAR push itself runs through the same validator pipeline, so a flagged client cannot smuggle plain parameters in via PAR either; the signature itself (rejecting the none algorithm) is enforced by the request-object fetcher where the JWT is validated.
SyncAuthorizationContextValidatorBaseProvides a base for implementing synchronous authorization request validation steps. This abstract class allows for creating validators that perform synchronous validation of authorization requests, while adhering to the IAuthorizationContextValidator interface for asynchronous operation.
Interfaces
IAuthorizationContextValidatorDefines the contract for a validator in an authorization context. Implementations of this interface should provide logic for validating authorization requests.