| ClientValidator | Resolves the client referenced by the request (either via client_id directly or via id_token_hint's audience) into a ClientInfo stored on the context for later steps such as post-logout redirect URI validation. A request with no client identifier at all is permitted to pass; an identifier that does not resolve yields UnauthorizedClient. |
| ConfirmationValidator | Enforces the end-user confirmation step described in OpenID Connect RP-Initiated Logout 1.0 §2: when the request omits id_token_hint the OP cannot trust that the user really initiated the logout, so a UI confirmation must precede the call. This validator surfaces ConfirmationRequired until the host echoes back confirmed=true. |
| EndSessionContextValidatorComposite | Represents a composite validator for end-session requests. |
| EndSessionValidationContext | Represents the context for validating an end-session request. |
| IdTokenHintValidator | Validates the id_token_hint parameter (OpenID Connect RP-Initiated Logout 1.0 §2): verifies signature/issuer/audience but deliberately accepts expired tokens (since the hint's role is to identify a no-longer-active session), then either populates ClientId from the token's audience when the request omitted it, or asserts that an explicitly supplied client_id matches that audience. |
| PostLogoutRedirectUrisValidator | Verifies that the request's post_logout_redirect_uri is one of the URIs the resolved client previously registered (OpenID Connect RP-Initiated Logout 1.0 §2). A request without post_logout_redirect_uri is allowed; if one is present but the client cannot be resolved from client_id or id_token_hint, the redirect URI cannot be safely validated and the request is rejected. |