TlsClientAuthenticator Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.ClientAuthentication
TlsClientAuthenticator Class
Implements RFC 8705 self-signed TLS client authentication (self_signed_tls_client_auth).
Validates the presented client certificate by matching its public key against the client's
registered JWKS (jwks or jwks_uri). If matched and the client's configured token endpoint
auth method is self_signed_tls_client_auth, the client is authenticated.
public class TlsClientAuthenticator : Abblix.Oidc.Server.Features.ClientAuthentication.IClientAuthenticator
Inheritance System.Object → TlsClientAuthenticator
Implements IClientAuthenticator
Constructors
TlsClientAuthenticator(ILogger<TlsClientAuthenticator>, IClientInfoProvider, IClientKeysProvider) Constructor
Implements RFC 8705 self-signed TLS client authentication (self_signed_tls_client_auth).
Validates the presented client certificate by matching its public key against the client's
registered JWKS (jwks or jwks_uri). If matched and the client's configured token endpoint
auth method is self_signed_tls_client_auth, the client is authenticated.
public TlsClientAuthenticator(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Features.ClientAuthentication.TlsClientAuthenticator> logger, Abblix.Oidc.Server.Features.ClientInformation.IClientInfoProvider clientInfoProvider, Abblix.Oidc.Server.Features.ClientInformation.IClientKeysProvider clientKeysProvider);
Parameters
logger Microsoft.Extensions.Logging.ILogger<TlsClientAuthenticator>
clientInfoProvider IClientInfoProvider
clientKeysProvider IClientKeysProvider
Properties
TlsClientAuthenticator.ClientAuthenticationMethodsSupported Property
Gets the collection of client authentication methods supported by this authenticator.
public System.Collections.Generic.IEnumerable<string> ClientAuthenticationMethodsSupported { get; }
Implements ClientAuthenticationMethodsSupported
Property Value
System.Collections.Generic.IEnumerable<System.String>
A collection containing SelfSignedTlsClientAuth.
Methods
TlsClientAuthenticator.TryAuthenticateClientAsync(ClientRequest) Method
Attempts to authenticate a client using self-signed TLS client authentication. Validates the client certificate's public key against the client's registered JWKS.
public System.Threading.Tasks.Task<Abblix.Oidc.Server.Features.ClientInformation.ClientInfo?> TryAuthenticateClientAsync(Abblix.Oidc.Server.Model.ClientRequest request);
Parameters
request ClientRequest
The client request containing the certificate and client ID to authenticate.
Implements TryAuthenticateClientAsync(ClientRequest)
Returns
System.Threading.Tasks.Task<ClientInfo>
A task that returns the authenticated ClientInfo if successful; otherwise, null.
Returns null if no certificate is provided, client not found, authentication method doesn't match,
or certificate public key doesn't match any key in the client's JWKS.
Remarks
This method implements RFC 8705 self_signed_tls_client_auth by: 1. Verifying a client certificate is present 2. Looking up client configuration by client_id 3. Checking the client uses self_signed_tls_client_auth method 4. Extracting the public key from the certificate 5. Comparing it against all keys in the client's JWKS (jwks or jwks_uri) Supports both RSA and ECDSA certificates.