Skip to main content

JwtBearerGrantHandler Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Endpoints.Token.Grants

JwtBearerGrantHandler Class

Handles the JWT Bearer grant type per RFC 7523, allowing clients to exchange a JWT assertion for an access token. This grant type is used when a client has obtained a JWT from a trusted identity provider and wants to exchange it for an access token at this authorization server.

public class JwtBearerGrantHandler : Abblix.Oidc.Server.Endpoints.Token.Grants.IAuthorizationGrantHandler, Abblix.Oidc.Server.Common.Interfaces.IGrantTypeInformer

Inheritance System.Object → JwtBearerGrantHandler

Implements IAuthorizationGrantHandler, IGrantTypeInformer

Remarks

The JWT Bearer grant type is specified in RFC 7523 and is commonly used in scenarios such as: - Service-to-service authentication with pre-existing trust relationships - Token exchange between federated identity providers - API-to-API communication where the calling service has a JWT from an identity provider - Single sign-on (SSO) across different domains or organizations

The JWT assertion must contain specific claims per RFC 7523 Section 3: - iss (issuer): Identifies the principal that issued the JWT - sub (subject): Identifies the principal that is the subject of the JWT - aud (audience): Identifies the recipients that the JWT is intended for (must include this authorization server) - exp (expiration time): Identifies the expiration time on or after which the JWT MUST NOT be accepted - jti (JWT ID): Optional but recommended for replay protection per RFC 7523 Section 5.2

The authorization server validates the JWT signature, claims, and ensures the issuer is trusted before issuing an access token.

Constructors

JwtBearerGrantHandler(ILogger<JwtBearerGrantHandler>, IJsonWebTokenValidator, IJwtBearerIssuerProvider, IRequestInfoProvider, ISessionIdGenerator, TimeProvider) Constructor

Handles the JWT Bearer grant type per RFC 7523, allowing clients to exchange a JWT assertion for an access token. This grant type is used when a client has obtained a JWT from a trusted identity provider and wants to exchange it for an access token at this authorization server.

public JwtBearerGrantHandler(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Endpoints.Token.Grants.JwtBearerGrantHandler> logger, Abblix.Jwt.IJsonWebTokenValidator jwtValidator, Abblix.Oidc.Server.Features.JwtBearer.IJwtBearerIssuerProvider issuerProvider, Abblix.Oidc.Server.Common.Interfaces.IRequestInfoProvider requestInfoProvider, Abblix.Oidc.Server.Features.RandomGenerators.ISessionIdGenerator sessionIdGenerator, System.TimeProvider timeProvider);

Parameters

logger Microsoft.Extensions.Logging.ILogger<JwtBearerGrantHandler>

Logger for recording JWT Bearer grant validation events and errors.

jwtValidator IJsonWebTokenValidator

Validates JWT assertions including signature verification and claims validation.

issuerProvider IJwtBearerIssuerProvider

Provides comprehensive JWT Bearer functionality including trusted issuers, keys, and replay protection.

requestInfoProvider IRequestInfoProvider

Provides information about the current HTTP request for audience validation.

sessionIdGenerator ISessionIdGenerator

Generates unique session identifiers for authentication sessions.

timeProvider System.TimeProvider

Provides access to the current time for session timestamps.

Remarks

The JWT Bearer grant type is specified in RFC 7523 and is commonly used in scenarios such as: - Service-to-service authentication with pre-existing trust relationships - Token exchange between federated identity providers - API-to-API communication where the calling service has a JWT from an identity provider - Single sign-on (SSO) across different domains or organizations

The JWT assertion must contain specific claims per RFC 7523 Section 3: - iss (issuer): Identifies the principal that issued the JWT - sub (subject): Identifies the principal that is the subject of the JWT - aud (audience): Identifies the recipients that the JWT is intended for (must include this authorization server) - exp (expiration time): Identifies the expiration time on or after which the JWT MUST NOT be accepted - jti (JWT ID): Optional but recommended for replay protection per RFC 7523 Section 5.2

The authorization server validates the JWT signature, claims, and ensures the issuer is trusted before issuing an access token.

Properties

JwtBearerGrantHandler.GrantTypesSupported Property

Specifies the grant type that this handler supports, which is the JWT Bearer grant type.

public System.Collections.Generic.IEnumerable<string> GrantTypesSupported { get; }

Implements GrantTypesSupported

Property Value

System.Collections.Generic.IEnumerable<System.String>

Methods

JwtBearerGrantHandler.AuthorizeAsync(TokenRequest, ClientInfo) Method

Asynchronously processes the token request using the JWT Bearer grant type. Validates the JWT assertion and, if valid, issues an access token.

public System.Threading.Tasks.Task<Abblix.Utils.Result<Abblix.Oidc.Server.Endpoints.Token.Interfaces.AuthorizedGrant,Abblix.Oidc.Server.Common.OidcError>> AuthorizeAsync(Abblix.Oidc.Server.Model.TokenRequest request, Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo);

Parameters

request TokenRequest

The token request containing the JWT assertion and requested scope.

clientInfo ClientInfo

Information about the authenticated client making the request.

Implements AuthorizeAsync(TokenRequest, ClientInfo)

Returns

System.Threading.Tasks.Task<Abblix.Utils.Result<AuthorizedGrant,OidcError>>
A task that completes with either an authorized grant containing the user session and context, or an error indicating why the JWT assertion was rejected.