| AuthorizationCodeGrantHandler | IAuthorizationGrantHandler for grant_type=authorization_code (RFC 6749 §4.1.3). Resolves the code to its stored AuthorizedGrant, asserts that the redeeming client is the same one the code was issued to, and, when a code_challenge was bound at the authorization request, runs the RFC 7636 §4.6 verification by transforming the submitted code_verifier with the recorded plain / S256 / S512 method. |
| BackChannelAuthenticationGrantHandler | Handles the authorization process for backchannel authentication requests under the Client-Initiated Backchannel Authentication (CIBA) grant type. This handler validates the token request based on the backchannel authentication flow, ensuring that the client is authorized and that the user has been authenticated before tokens are issued. Supports both short-polling (immediate response) and long-polling (holds connection until auth completes). |
| ClientCredentialsGrantHandler | Handles the authorization process for the client credentials grant type within the OAuth 2.0 framework. This grant type is designed for machine-to-machine (M2M) authentication where the client itself is the resource owner. There is no end-user involved in this flow - the client uses its own credentials to obtain an access token directly from the authorization server. |
| CompositeAuthorizationGrantHandler | A composite handler that coordinates multiple authorization grant handlers for processing OAuth 2.0 token requests. This class allows for flexible and extensible handling of various grant types by delegating specific grant processing tasks to individual handlers. It dynamically aggregates all available grant handlers, facilitating the addition of new handlers without modifying the core authorization flow. |
| DeviceCodeGrantHandler | Handles the Device Code grant type as defined in RFC 8628. This handler validates token requests for the device authorization flow, checking the device code status and returning tokens when authorized. |
| ErrorFactory | Builds OidcError instances using the error codes RFC 6749 §5.2 defines for the token endpoint. Mirrors the sibling per-area factories (authorization validation, dynamic client registration, secure HTTP fetch): each area exposes only the error codes its specification legitimately uses, so codes from one protocol surface do not leak into another. |
| JwtBearerGrantHandler | Handles the JWT Bearer grant type per RFC 7523, allowing clients to exchange a JWT assertion for an access token. This grant type is used when a client has obtained a JWT from a trusted identity provider and wants to exchange it for an access token at this authorization server. |
| PasswordGrantHandler | Handles the authorization process for the password grant type within the OAuth 2.0 framework. This handler validates the user's credentials and processes token requests based on the password grant type. The password grant type allows clients to directly exchange a user's credentials (username and password) for an access token, typically for trusted clients. |
| RefreshTokenGrantHandler | IAuthorizationGrantHandler for grant_type=refresh_token (RFC 6749 §6). Verifies the refresh token's signature and lifetime, requires the JWT typ header to be rt+jwt, recovers the original AuthorizedGrant, and rejects the request with invalid_grant when the refreshing client differs from the client that received the token. |
| TokenExchangeGrantHandler | IAuthorizationGrantHandler for RFC 8693 Token Exchange (grant_type=urn:ietf:params:oauth:grant-type:token-exchange). |