| ClientInfo | Contains information about a client in an OAuth2/OpenID Connect context. |
| ClientKeysProvider | Facilitates the retrieval of JSON Web Keys (JWKs) for cryptographic operations, including encryption and signing. This provider supports fetching keys from a client's JSON Web Key Set (JWKS) URL or directly from the client configuration. |
| ClientSecret | Encapsulates the details of a client secret used in OAuth2 and OpenID Connect authentication flows. |
| OidcOptionsSecurityProfileValidator | Validates that every statically-configured client whose effective profile mandates a control bundle has a configuration that can satisfy it, failing loudly the first time OidcOptions is resolved rather than letting a contradiction surface as a per-request rejection at runtime. A no-op for deployments that select no profile, so existing configurations are unaffected. |
| SecurityProfileConsistency | Checks whether a client's configuration can actually satisfy the profile it selects, so a contradiction surfaces loudly at registration or startup instead of as a per-request rejection the operator has to reverse-engineer. The runtime validators already tighten a request to the profile; this is the fail-loud companion that catches static configuration that can never produce a conformant flow in the first place. |
| SecurityProfileRequirements | The bundle of controls a ClientSecurityProfile forces on a client, expressed as individual flags the request-pipeline validators consult. This is the single place the profile-to-controls mapping lives, so a validator never needs to know what "FAPI 2.0" means — it only reads the one flag it owns — and adding a future profile touches only Resolve(ClientSecurityProfile). |
| TlsClientAuthOptions | RFC 8705 metadata for tls_client_auth method. Defines match rules for Subject DN and/or Subject Alternative Name entries. |