Skip to main content

ServiceCollectionExtensions Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints

ServiceCollectionExtensions Class

Extension methods that register endpoint pipelines (handler + validator + processor + per-step validators / fetchers / grant handlers) for the OAuth 2.0 / OpenID Connect endpoints exposed by this library: configuration, authorization (with PAR), token, userinfo, revocation, introspection, check-session, end-session, dynamic client management, CIBA backchannel and RFC 8628 device authorization. Use TryAdd* so that host pre-registrations win.

public static class ServiceCollectionExtensions

Inheritance System.Object → ServiceCollectionExtensions

Methods

ServiceCollectionExtensions.AddAuthorizationCodeGrant(this IServiceCollection) Method

Registers the authorization code grant handler for OAuth 2.0 authorization code flow.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationCodeGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddAuthorizationContextValidators(this IServiceCollection) Method

Adds a series of validators for authorization context as a composite service to ensure comprehensive validation of authorization requests.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

Remarks

This method composes a pipeline of validators for various aspects of the authorization context, such as request object validation, client validation, and more. This composite validator approach enables modular and extensible validation logic, ensuring that authorization requests meet all necessary criteria and standards.

ServiceCollectionExtensions.AddAuthorizationEndpoint(this IServiceCollection) Method

Adds services and processors for handling authorization requests to the service collection.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

Remarks

This setup is crucial for supporting the OAuth 2.0 and OpenID Connect authorization flow, ensuring that incoming authorization requests are correctly validated and processed.

ServiceCollectionExtensions.AddAuthorizationGrant<TImpl>(this IServiceCollection) Method

Registers TImpl as both IAuthorizationGrantHandler (for grant-handling dispatch via CompositeAuthorizationGrantHandler) and IGrantTypeInformer (for discovery and registration-time gates that aggregate the full grant_types_supported set across all informers). Every IAuthorizationGrantHandler implementation, both built-in and host-supplied, must be registered through this helper so the dual-presence invariant cannot be silently missed when a new grant handler is added.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationGrant<TImpl>(this Microsoft.Extensions.DependencyInjection.IServiceCollection services)
where TImpl : class, Abblix.Oidc.Server.Endpoints.Token.Grants.IAuthorizationGrantHandler;

Type parameters

TImpl

The concrete grant-handler implementation to register.

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddAuthorizationGrants(this IServiceCollection) Method

Composes all registered authorization grant handlers into a composite handler and registers it as the grant type informer. This method should be called after all individual grant handlers have been registered.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationGrants(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddAuthorizationRequestFetchers(this IServiceCollection) Method

Registers authorization request fetchers and related services into the provided IServiceCollection. This method adds implementations for various authorization request fetchers as singletons, ensuring that they are efficiently reused throughout the application. It also composes these fetchers into a composite fetcher to handle different types of authorization requests seamlessly.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationRequestFetchers(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The IServiceCollection to which the services will be added.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The updated IServiceCollection with the added authorization request fetchers.

ServiceCollectionExtensions.AddAuthorizationResponseProcessor<TImpl>(this IServiceCollection, ServiceLifetime) Method

Registers TImpl as a Singleton concrete service and aliases the SAME instance under both IAuthorizationResponseBuilder (for response-type dispatch in the authorization endpoint) and IGrantTypeInformer (for discovery and registration-time gates that aggregate grant_types_supported). Every IAuthorizationResponseBuilder implementation must be registered through this helper so each processor's declared grant type lands in the IGrantTypeInformer chain without an extra registration step.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationResponseProcessor<TImpl>(this Microsoft.Extensions.DependencyInjection.IServiceCollection services, Microsoft.Extensions.DependencyInjection.ServiceLifetime lifetime=Microsoft.Extensions.DependencyInjection.ServiceLifetime.Singleton)
where TImpl : class, Abblix.Oidc.Server.Endpoints.Authorization.Interfaces.IAuthorizationResponseBuilder;

Type parameters

TImpl

The concrete response-builder implementation to register.

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

lifetime Microsoft.Extensions.DependencyInjection.ServiceLifetime

The service lifetime for the processor and its aliases; defaults to Microsoft.Extensions.DependencyInjection.ServiceLifetime.Singleton. Use Microsoft.Extensions.DependencyInjection.ServiceLifetime.Scoped when the processor has scoped dependencies, to avoid a captive dependency.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddBackChannelAuthenticationContextValidators(this IServiceCollection) Method

Configures and registers a composite of back-channel authentication context validators into the service collection. Validators run in sequence to verify the client, the requested resources and scopes, the user identity hint, the requested expiry, the user code, and the ping-mode configuration before a CIBA request is accepted.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddBackChannelAuthenticationContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The service collection to which the back-channel authentication context validators will be added.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered back-channel authentication context validators.

ServiceCollectionExtensions.AddClientCredentialsGrant(this IServiceCollection) Method

Registers the client credentials grant handler for OAuth 2.0 client credentials flow.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddClientCredentialsGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddConfigurationEndpoint(this IServiceCollection) Method

Adds the configuration handler for OpenID Connect Discovery endpoint.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddConfigurationEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

Remarks

This handler builds discovery metadata according to OpenID Connect Discovery specification, providing framework-agnostic metadata about the provider's configuration.

ServiceCollectionExtensions.AddDeviceAuthorizationContextValidators(this IServiceCollection) Method

Configures and registers a composite of device authorization context validators into the service collection. Validators run in sequence to verify the client, the requested scopes, and the requested resources before a device authorization request (RFC 8628) is accepted.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddDeviceAuthorizationContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The service collection to which the device authorization context validators will be added.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered device authorization context validators.

ServiceCollectionExtensions.AddEndSessionContextValidators(this IServiceCollection) Method

Configures and registers a composite of end-session context validators into the service collection. Validators run in sequence to verify the id_token_hint, the client, the post-logout redirect URI, and the confirmation claim before an end-session request is accepted.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddEndSessionContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The service collection to which the end-session context validators will be added.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered end-session context validators.

ServiceCollectionExtensions.AddEndSessionEndpoint(this IServiceCollection) Method

Adds services for handling end session (logout) requests aligning with OpenID Connect session management specifications. This setup enables the application to handle logout requests effectively, ensuring that user sessions are terminated securely across all involved parties.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddEndSessionEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddJwtBearerGrant(this IServiceCollection) Method

Registers services required for JWT Bearer grant type, including JWT Bearer issuer provider, JWT replay prevention cache, and keyed caching decorator for JWKS fetching.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddJwtBearerGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddPushedAuthorizationEndpoint(this IServiceCollection) Method

Registers validators and processors for pushed authorization requests (PAR), enhancing the security and efficiency of the authorization process by allowing clients to send requests directly to the authorization server via a back-channel connection.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddPushedAuthorizationEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddRefreshTokenGrant(this IServiceCollection) Method

Registers the refresh token grant handler for OAuth 2.0 refresh token flow.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddRefreshTokenGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddTokenContextValidators(this IServiceCollection) Method

Configures and registers a composite of token context validators into the service collection. This method sets up a sequence of validators that perform various checks on token requests, ensuring they comply with the necessary criteria before a token can be issued.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddTokenContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The service collection to which the token context validators will be added.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered token context validators.

ServiceCollectionExtensions.AddTokenEndpoint(this IServiceCollection) Method

Adds services for validating and processing token requests according to OAuth 2.0 and OpenID Connect standards. This setup supports various grant types, ensuring that token requests are handled securely and efficiently, facilitating the issuance of access tokens, refresh tokens, and ID tokens to clients.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddTokenEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

ServiceCollectionExtensions.AddTokenExchangeGrant(this IServiceCollection) Method

Registers the RFC 8693 Token Exchange grant handler together with the per-type ISubjectTokenResolver implementations the library ships natively (JWT-formatted subject tokens via JwtSubjectTokenResolver for the access_token/id_token/jwt type URIs, and RefreshTokenSubjectTokenResolver for refresh tokens).

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddTokenExchangeGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.

Remarks

Subject-token resolvers are dispatched by keyed DI under the urn:ietf:params:oauth:token-type:* URI. Hosts may register additional resolvers after this call (e.g. SAML 2.0 assertions in federation scenarios) -- the handler picks them up automatically. The actor_token/delegation path and discovery / DCR metadata land in subsequent slices (see #143).

ServiceCollectionExtensions.AddUserInfoEndpoint(this IServiceCollection) Method

Adds services for handling user info requests, allowing clients to retrieve claims about the authenticated user in accordance with OpenID Connect standards.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddUserInfoEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure with user info endpoint capabilities.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection, allowing for further service registration chaining.

Remarks

Registers scoped validators and processors for user info requests, enabling the secure delivery of claims about the authenticated session user to the client. This functionality is crucial for OpenID Connect-compliant applications, providing a standardized method for clients to access user profile information based on the scopes and permissions granted during authentication. The service setup ensures that user info requests are properly validated and processed, safeguarding sensitive user information while supporting rich client applications.

ServiceCollectionExtensions.EnablePasswordGrant(this IServiceCollection) Method

Enables support for the password grant type, acknowledging its security considerations.

public static Microsoft.Extensions.DependencyInjection.IServiceCollection EnablePasswordGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);

Parameters

services Microsoft.Extensions.DependencyInjection.IServiceCollection

The Microsoft.Extensions.DependencyInjection.IServiceCollection to add the password grant handler to.

Returns

Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection so additional calls can be chained.

Remarks

This method is intentionally separated from the standard OIDC core service registration due to the inherent security risks associated with the password grant type. The password grant type requires the client to handle user credentials directly, which can increase the risk of credential exposure and related security issues. By isolating this method, we ensure that developers make a deliberate decision to enable this feature, being fully aware of its security implications. It's recommended to use more secure grant types like authorization code or client credentials whenever possible. Call this before AddOidcCore/AddOidcServices: the password grant handler must be registered before the grant handlers are composed, otherwise the registration is rejected at startup.