ServiceCollectionExtensions Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints
ServiceCollectionExtensions Class
Extension methods that register endpoint pipelines (handler + validator + processor + per-step
validators / fetchers / grant handlers) for the OAuth 2.0 / OpenID Connect endpoints exposed by
this library: configuration, authorization (with PAR), token, userinfo, revocation, introspection,
check-session, end-session, dynamic client management, CIBA backchannel and RFC 8628 device
authorization. Use TryAdd* so that host pre-registrations win.
public static class ServiceCollectionExtensions
Inheritance System.Object → ServiceCollectionExtensions
Methods
ServiceCollectionExtensions.AddAuthorizationCodeGrant(this IServiceCollection) Method
Registers the authorization code grant handler for OAuth 2.0 authorization code flow.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationCodeGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddAuthorizationContextValidators(this IServiceCollection) Method
Adds a series of validators for authorization context as a composite service to ensure comprehensive validation of authorization requests.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
Remarks
This method composes a pipeline of validators for various aspects of the authorization context, such as request object validation, client validation, and more. This composite validator approach enables modular and extensible validation logic, ensuring that authorization requests meet all necessary criteria and standards.
ServiceCollectionExtensions.AddAuthorizationEndpoint(this IServiceCollection) Method
Adds services and processors for handling authorization requests to the service collection.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
Remarks
This setup is crucial for supporting the OAuth 2.0 and OpenID Connect authorization flow, ensuring that incoming authorization requests are correctly validated and processed.
ServiceCollectionExtensions.AddAuthorizationGrant<TImpl>(this IServiceCollection) Method
Registers TImpl as both IAuthorizationGrantHandler
(for grant-handling dispatch via CompositeAuthorizationGrantHandler) and
IGrantTypeInformer (for discovery and registration-time gates that
aggregate the full grant_types_supported set across all informers). Every
IAuthorizationGrantHandler implementation, both built-in and host-supplied,
must be registered through this helper so the dual-presence invariant cannot be silently
missed when a new grant handler is added.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationGrant<TImpl>(this Microsoft.Extensions.DependencyInjection.IServiceCollection services)
where TImpl : class, Abblix.Oidc.Server.Endpoints.Token.Grants.IAuthorizationGrantHandler;
Type parameters
TImpl
The concrete grant-handler implementation to register.
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddAuthorizationGrants(this IServiceCollection) Method
Composes all registered authorization grant handlers into a composite handler and registers it as the grant type informer. This method should be called after all individual grant handlers have been registered.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationGrants(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddAuthorizationRequestFetchers(this IServiceCollection) Method
Registers authorization request fetchers and related services into the provided IServiceCollection. This method adds implementations for various authorization request fetchers as singletons, ensuring that they are efficiently reused throughout the application. It also composes these fetchers into a composite fetcher to handle different types of authorization requests seamlessly.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationRequestFetchers(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The IServiceCollection to which the services will be added.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The updated IServiceCollection with the added authorization request fetchers.
ServiceCollectionExtensions.AddAuthorizationResponseProcessor<TImpl>(this IServiceCollection, ServiceLifetime) Method
Registers TImpl as a Singleton concrete service and aliases the
SAME instance under both IAuthorizationResponseBuilder (for response-type
dispatch in the authorization endpoint) and IGrantTypeInformer (for
discovery and registration-time gates that aggregate grant_types_supported).
Every IAuthorizationResponseBuilder implementation must be registered
through this helper so each processor's declared grant type lands in the
IGrantTypeInformer chain without an extra registration step.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddAuthorizationResponseProcessor<TImpl>(this Microsoft.Extensions.DependencyInjection.IServiceCollection services, Microsoft.Extensions.DependencyInjection.ServiceLifetime lifetime=Microsoft.Extensions.DependencyInjection.ServiceLifetime.Singleton)
where TImpl : class, Abblix.Oidc.Server.Endpoints.Authorization.Interfaces.IAuthorizationResponseBuilder;
Type parameters
TImpl
The concrete response-builder implementation to register.
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
lifetime Microsoft.Extensions.DependencyInjection.ServiceLifetime
The service lifetime for the processor and its aliases; defaults to Microsoft.Extensions.DependencyInjection.ServiceLifetime.Singleton. Use Microsoft.Extensions.DependencyInjection.ServiceLifetime.Scoped when the processor has scoped dependencies, to avoid a captive dependency.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddBackChannelAuthenticationContextValidators(this IServiceCollection) Method
Configures and registers a composite of back-channel authentication context validators into the service collection. Validators run in sequence to verify the client, the requested resources and scopes, the user identity hint, the requested expiry, the user code, and the ping-mode configuration before a CIBA request is accepted.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddBackChannelAuthenticationContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The service collection to which the back-channel authentication context validators will be added.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered back-channel authentication context validators.
ServiceCollectionExtensions.AddClientCredentialsGrant(this IServiceCollection) Method
Registers the client credentials grant handler for OAuth 2.0 client credentials flow.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddClientCredentialsGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddConfigurationEndpoint(this IServiceCollection) Method
Adds the configuration handler for OpenID Connect Discovery endpoint.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddConfigurationEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
Remarks
This handler builds discovery metadata according to OpenID Connect Discovery specification, providing framework-agnostic metadata about the provider's configuration.
ServiceCollectionExtensions.AddDeviceAuthorizationContextValidators(this IServiceCollection) Method
Configures and registers a composite of device authorization context validators into the service collection. Validators run in sequence to verify the client, the requested scopes, and the requested resources before a device authorization request (RFC 8628) is accepted.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddDeviceAuthorizationContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The service collection to which the device authorization context validators will be added.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered device authorization context validators.
ServiceCollectionExtensions.AddEndSessionContextValidators(this IServiceCollection) Method
Configures and registers a composite of end-session context validators into the service
collection. Validators run in sequence to verify the id_token_hint, the client,
the post-logout redirect URI, and the confirmation claim before an end-session request
is accepted.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddEndSessionContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The service collection to which the end-session context validators will be added.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered end-session context validators.
ServiceCollectionExtensions.AddEndSessionEndpoint(this IServiceCollection) Method
Adds services for handling end session (logout) requests aligning with OpenID Connect session management specifications. This setup enables the application to handle logout requests effectively, ensuring that user sessions are terminated securely across all involved parties.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddEndSessionEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddJwtBearerGrant(this IServiceCollection) Method
Registers services required for JWT Bearer grant type, including JWT Bearer issuer provider, JWT replay prevention cache, and keyed caching decorator for JWKS fetching.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddJwtBearerGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddPushedAuthorizationEndpoint(this IServiceCollection) Method
Registers validators and processors for pushed authorization requests (PAR), enhancing the security and efficiency of the authorization process by allowing clients to send requests directly to the authorization server via a back-channel connection.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddPushedAuthorizationEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddRefreshTokenGrant(this IServiceCollection) Method
Registers the refresh token grant handler for OAuth 2.0 refresh token flow.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddRefreshTokenGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddTokenContextValidators(this IServiceCollection) Method
Configures and registers a composite of token context validators into the service collection. This method sets up a sequence of validators that perform various checks on token requests, ensuring they comply with the necessary criteria before a token can be issued.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddTokenContextValidators(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The service collection to which the token context validators will be added.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The modified service collection with the registered token context validators.
ServiceCollectionExtensions.AddTokenEndpoint(this IServiceCollection) Method
Adds services for validating and processing token requests according to OAuth 2.0 and OpenID Connect standards. This setup supports various grant types, ensuring that token requests are handled securely and efficiently, facilitating the issuance of access tokens, refresh tokens, and ID tokens to clients.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddTokenEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
ServiceCollectionExtensions.AddTokenExchangeGrant(this IServiceCollection) Method
Registers the RFC 8693 Token Exchange grant handler together with the per-type
ISubjectTokenResolver implementations the library
ships natively (JWT-formatted subject tokens via JwtSubjectTokenResolver
for the access_token/id_token/jwt type URIs, and
RefreshTokenSubjectTokenResolver for refresh tokens).
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddTokenExchangeGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection.
Remarks
Subject-token resolvers are dispatched by keyed DI under the
urn:ietf:params:oauth:token-type:* URI. Hosts may register additional resolvers
after this call (e.g. SAML 2.0 assertions in federation scenarios) -- the handler picks
them up automatically. The actor_token/delegation path and discovery / DCR
metadata land in subsequent slices (see #143).
ServiceCollectionExtensions.AddUserInfoEndpoint(this IServiceCollection) Method
Adds services for handling user info requests, allowing clients to retrieve claims about the authenticated user in accordance with OpenID Connect standards.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection AddUserInfoEndpoint(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to configure with user info endpoint capabilities.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The configured Microsoft.Extensions.DependencyInjection.IServiceCollection, allowing for further service registration chaining.
Remarks
Registers scoped validators and processors for user info requests, enabling the secure delivery of claims about the authenticated session user to the client. This functionality is crucial for OpenID Connect-compliant applications, providing a standardized method for clients to access user profile information based on the scopes and permissions granted during authentication. The service setup ensures that user info requests are properly validated and processed, safeguarding sensitive user information while supporting rich client applications.
ServiceCollectionExtensions.EnablePasswordGrant(this IServiceCollection) Method
Enables support for the password grant type, acknowledging its security considerations.
public static Microsoft.Extensions.DependencyInjection.IServiceCollection EnablePasswordGrant(this Microsoft.Extensions.DependencyInjection.IServiceCollection services);
Parameters
services Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection to add the password grant handler to.
Returns
Microsoft.Extensions.DependencyInjection.IServiceCollection
The Microsoft.Extensions.DependencyInjection.IServiceCollection so additional calls can be chained.
Remarks
This method is intentionally separated from the standard OIDC core service registration due to the inherent
security risks associated with the password grant type. The password grant type requires the client to handle
user credentials directly, which can increase the risk of credential exposure and related security issues.
By isolating this method, we ensure that developers make a deliberate decision to enable this feature, being
fully aware of its security implications. It's recommended to use more secure grant types like authorization
code or client credentials whenever possible. Call this before AddOidcCore/AddOidcServices:
the password grant handler must be registered before the grant handlers are composed, otherwise the
registration is rejected at startup.