Skip to main content

TlsClientAuthenticator Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.ClientAuthentication

TlsClientAuthenticator Class

Implements RFC 8705 self-signed TLS client authentication (self_signed_tls_client_auth). Validates the presented client certificate by matching its public key against the client's registered JWKS (jwks or jwks_uri). If matched and the client's configured token endpoint auth method is self_signed_tls_client_auth, the client is authenticated.

public class TlsClientAuthenticator : Abblix.Oidc.Server.Features.ClientAuthentication.IClientAuthenticator

Inheritance System.Object → TlsClientAuthenticator

Implements IClientAuthenticator

Constructors

TlsClientAuthenticator(ILogger<TlsClientAuthenticator>, IClientInfoProvider, IClientKeysProvider) Constructor

Implements RFC 8705 self-signed TLS client authentication (self_signed_tls_client_auth). Validates the presented client certificate by matching its public key against the client's registered JWKS (jwks or jwks_uri). If matched and the client's configured token endpoint auth method is self_signed_tls_client_auth, the client is authenticated.

public TlsClientAuthenticator(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Features.ClientAuthentication.TlsClientAuthenticator> logger, Abblix.Oidc.Server.Features.ClientInformation.IClientInfoProvider clientInfoProvider, Abblix.Oidc.Server.Features.ClientInformation.IClientKeysProvider clientKeysProvider);

Parameters

logger Microsoft.Extensions.Logging.ILogger<TlsClientAuthenticator>
clientInfoProvider IClientInfoProvider
clientKeysProvider IClientKeysProvider

Properties

TlsClientAuthenticator.ClientAuthenticationMethodsSupported Property

Gets the collection of client authentication methods supported by this authenticator.

public System.Collections.Generic.IEnumerable<string> ClientAuthenticationMethodsSupported { get; }

Implements ClientAuthenticationMethodsSupported

Property Value

System.Collections.Generic.IEnumerable<System.String>
A collection containing SelfSignedTlsClientAuth.

Methods

TlsClientAuthenticator.TryAuthenticateClientAsync(ClientRequest) Method

Attempts to authenticate a client using self-signed TLS client authentication. Validates the client certificate's public key against the client's registered JWKS.

public System.Threading.Tasks.Task<Abblix.Oidc.Server.Features.ClientInformation.ClientInfo?> TryAuthenticateClientAsync(Abblix.Oidc.Server.Model.ClientRequest request);

Parameters

request ClientRequest

The client request containing the certificate and client ID to authenticate.

Implements TryAuthenticateClientAsync(ClientRequest)

Returns

System.Threading.Tasks.Task<ClientInfo>
A task that returns the authenticated ClientInfo if successful; otherwise, null. Returns null if no certificate is provided, client not found, authentication method doesn't match, or certificate public key doesn't match any key in the client's JWKS.

Remarks

This method implements RFC 8705 self_signed_tls_client_auth by: 1. Verifying a client certificate is present 2. Looking up client configuration by client_id 3. Checking the client uses self_signed_tls_client_auth method 4. Extracting the public key from the certificate 5. Comparing it against all keys in the client's JWKS (jwks or jwks_uri) Supports both RSA and ECDSA certificates.