Skip to main content

Abblix.Oidc.Server.Endpoints.Token.Grants Namespace

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Token.Grants Namespace

Classes
AuthorizationCodeGrantHandlerIAuthorizationGrantHandler for grant_type=authorization_code (RFC 6749 §4.1.3). Resolves the code to its stored AuthorizedGrant, asserts that the redeeming client is the same one the code was issued to, and, when a code_challenge was bound at the authorization request, runs the RFC 7636 §4.6 verification by transforming the submitted code_verifier with the recorded plain / S256 / S512 method.
BackChannelAuthenticationGrantHandlerHandles the authorization process for backchannel authentication requests under the Client-Initiated Backchannel Authentication (CIBA) grant type. This handler validates the token request based on the backchannel authentication flow, ensuring that the client is authorized and that the user has been authenticated before tokens are issued. Supports both short-polling (immediate response) and long-polling (holds connection until auth completes).
ClientCredentialsGrantHandlerHandles the authorization process for the client credentials grant type within the OAuth 2.0 framework. This grant type is designed for machine-to-machine (M2M) authentication where the client itself is the resource owner. There is no end-user involved in this flow - the client uses its own credentials to obtain an access token directly from the authorization server.
CompositeAuthorizationGrantHandlerA composite handler that coordinates multiple authorization grant handlers for processing OAuth 2.0 token requests. This class allows for flexible and extensible handling of various grant types by delegating specific grant processing tasks to individual handlers. It dynamically aggregates all available grant handlers, facilitating the addition of new handlers without modifying the core authorization flow.
DeviceCodeGrantHandlerHandles the Device Code grant type as defined in RFC 8628. This handler validates token requests for the device authorization flow, checking the device code status and returning tokens when authorized.
ErrorFactoryBuilds OidcError instances using the error codes RFC 6749 §5.2 defines for the token endpoint. Mirrors the sibling per-area factories (authorization validation, dynamic client registration, secure HTTP fetch): each area exposes only the error codes its specification legitimately uses, so codes from one protocol surface do not leak into another.
JwtBearerGrantHandlerHandles the JWT Bearer grant type per RFC 7523, allowing clients to exchange a JWT assertion for an access token. This grant type is used when a client has obtained a JWT from a trusted identity provider and wants to exchange it for an access token at this authorization server.
PasswordGrantHandlerHandles the authorization process for the password grant type within the OAuth 2.0 framework. This handler validates the user's credentials and processes token requests based on the password grant type. The password grant type allows clients to directly exchange a user's credentials (username and password) for an access token, typically for trusted clients.
RefreshTokenGrantHandlerIAuthorizationGrantHandler for grant_type=refresh_token (RFC 6749 §6). Verifies the refresh token's signature and lifetime, requires the JWT typ header to be rt+jwt, recovers the original AuthorizedGrant, and rejects the request with invalid_grant when the refreshing client differs from the client that received the token.
TokenExchangeGrantHandlerIAuthorizationGrantHandler for RFC 8693 Token Exchange (grant_type=urn:ietf:params:oauth:grant-type:token-exchange).
Interfaces
IAuthorizationGrantHandlerStrategy contract for resolving the grant_type-specific portion of an OAuth 2.0 token request (RFC 6749 §4) into an AuthorizedGrant: an authentication session plus the AuthorizationContext (subject, scope, resources, claims) that the issued tokens will inherit. Each implementation advertises the grant types it owns via GrantTypesSupported.