JwtBearerGrantHandler Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Endpoints.Token.Grants
JwtBearerGrantHandler Class
Handles the JWT Bearer grant type per RFC 7523, allowing clients to exchange a JWT assertion for an access token. This grant type is used when a client has obtained a JWT from a trusted identity provider and wants to exchange it for an access token at this authorization server.
public class JwtBearerGrantHandler : Abblix.Oidc.Server.Endpoints.Token.Grants.IAuthorizationGrantHandler, Abblix.Oidc.Server.Common.Interfaces.IGrantTypeInformer
Inheritance System.Object → JwtBearerGrantHandler
Implements IAuthorizationGrantHandler, IGrantTypeInformer
Remarks
The JWT Bearer grant type is specified in RFC 7523 and is commonly used in scenarios such as: - Service-to-service authentication with pre-existing trust relationships - Token exchange between federated identity providers - API-to-API communication where the calling service has a JWT from an identity provider - Single sign-on (SSO) across different domains or organizations
The JWT assertion must contain specific claims per RFC 7523 Section 3: - iss (issuer): Identifies the principal that issued the JWT - sub (subject): Identifies the principal that is the subject of the JWT - aud (audience): Identifies the recipients that the JWT is intended for (must include this authorization server) - exp (expiration time): Identifies the expiration time on or after which the JWT MUST NOT be accepted - jti (JWT ID): Optional but recommended for replay protection per RFC 7523 Section 5.2
The authorization server validates the JWT signature, claims, and ensures the issuer is trusted before issuing an access token.
Constructors
JwtBearerGrantHandler(ILogger<JwtBearerGrantHandler>, IJsonWebTokenValidator, IJwtBearerIssuerProvider, IRequestInfoProvider, ISessionIdGenerator, TimeProvider) Constructor
Handles the JWT Bearer grant type per RFC 7523, allowing clients to exchange a JWT assertion for an access token. This grant type is used when a client has obtained a JWT from a trusted identity provider and wants to exchange it for an access token at this authorization server.
public JwtBearerGrantHandler(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Endpoints.Token.Grants.JwtBearerGrantHandler> logger, Abblix.Jwt.IJsonWebTokenValidator jwtValidator, Abblix.Oidc.Server.Features.JwtBearer.IJwtBearerIssuerProvider issuerProvider, Abblix.Oidc.Server.Common.Interfaces.IRequestInfoProvider requestInfoProvider, Abblix.Oidc.Server.Features.RandomGenerators.ISessionIdGenerator sessionIdGenerator, System.TimeProvider timeProvider);
Parameters
logger Microsoft.Extensions.Logging.ILogger<JwtBearerGrantHandler>
Logger for recording JWT Bearer grant validation events and errors.
jwtValidator IJsonWebTokenValidator
Validates JWT assertions including signature verification and claims validation.
issuerProvider IJwtBearerIssuerProvider
Provides comprehensive JWT Bearer functionality including trusted issuers, keys, and replay protection.
requestInfoProvider IRequestInfoProvider
Provides information about the current HTTP request for audience validation.
sessionIdGenerator ISessionIdGenerator
Generates unique session identifiers for authentication sessions.
timeProvider System.TimeProvider
Provides access to the current time for session timestamps.
Remarks
The JWT Bearer grant type is specified in RFC 7523 and is commonly used in scenarios such as: - Service-to-service authentication with pre-existing trust relationships - Token exchange between federated identity providers - API-to-API communication where the calling service has a JWT from an identity provider - Single sign-on (SSO) across different domains or organizations
The JWT assertion must contain specific claims per RFC 7523 Section 3: - iss (issuer): Identifies the principal that issued the JWT - sub (subject): Identifies the principal that is the subject of the JWT - aud (audience): Identifies the recipients that the JWT is intended for (must include this authorization server) - exp (expiration time): Identifies the expiration time on or after which the JWT MUST NOT be accepted - jti (JWT ID): Optional but recommended for replay protection per RFC 7523 Section 5.2
The authorization server validates the JWT signature, claims, and ensures the issuer is trusted before issuing an access token.
Properties
JwtBearerGrantHandler.GrantTypesSupported Property
Specifies the grant type that this handler supports, which is the JWT Bearer grant type.
public System.Collections.Generic.IEnumerable<string> GrantTypesSupported { get; }
Implements GrantTypesSupported
Property Value
System.Collections.Generic.IEnumerable<System.String>
Methods
JwtBearerGrantHandler.AuthorizeAsync(TokenRequest, ClientInfo) Method
Asynchronously processes the token request using the JWT Bearer grant type. Validates the JWT assertion and, if valid, issues an access token.
public System.Threading.Tasks.Task<Abblix.Utils.Result<Abblix.Oidc.Server.Endpoints.Token.Interfaces.AuthorizedGrant,Abblix.Oidc.Server.Common.OidcError>> AuthorizeAsync(Abblix.Oidc.Server.Model.TokenRequest request, Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo);
Parameters
request TokenRequest
The token request containing the JWT assertion and requested scope.
clientInfo ClientInfo
Information about the authenticated client making the request.
Implements AuthorizeAsync(TokenRequest, ClientInfo)
Returns
System.Threading.Tasks.Task<Abblix.Utils.Result<AuthorizedGrant,OidcError>>
A task that completes with either an authorized grant containing the user session and context,
or an error indicating why the JWT assertion was rejected.