Skip to main content

ClientInfo Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.ClientInformation

ClientInfo Class

Contains information about a client in an OAuth2/OpenID Connect context.

public record ClientInfo : System.IEquatable<Abblix.Oidc.Server.Features.ClientInformation.ClientInfo>

Inheritance System.Object → ClientInfo

Implements System.IEquatable<ClientInfo>

Remarks

This record encapsulates the details necessary to identify and configure the behavior of a client application within an OAuth2 or OpenID Connect framework. It includes identifiers, secrets, and configuration options that dictate how the client interacts with the authorization server and is authenticated or authorized during the token issuance process.

Constructors

ClientInfo(string) Constructor

Contains information about a client in an OAuth2/OpenID Connect context.

public ClientInfo(string ClientId);

Parameters

ClientId System.String

Remarks

This record encapsulates the details necessary to identify and configure the behavior of a client application within an OAuth2 or OpenID Connect framework. It includes identifiers, secrets, and configuration options that dictate how the client interacts with the authorization server and is authenticated or authorized during the token issuance process.

Properties

ClientInfo.AccessTokenExpiresIn Property

Specifies the lifetime of access tokens issued to this client. Shorter access token lifetimes reduce the risk of token leakage.

public System.TimeSpan AccessTokenExpiresIn { get; set; }

Property Value

System.TimeSpan

ClientInfo.AllowCrossClientSubjectTokenExchange Property

RFC 8693 §1.3: by default this AS rejects a Token Exchange request where the subject_token was originally issued to a different client than the one presenting it -- the "confused deputy" anti-pattern. When this client is intended to operate as an audit broker / proxy that legitimately receives tokens issued to other clients, set this to true to opt out of the default check. Has no effect when no subject_token origin can be determined.

public bool AllowCrossClientSubjectTokenExchange { get; set; }

Property Value

System.Boolean

ClientInfo.AllowedGrantTypes Property

Specifies the grant types the client is authorized to use when obtaining tokens from the token endpoint.

public string[] AllowedGrantTypes { get; set; }

Property Value

System.String[]

ClientInfo.AllowedResponseTypes Property

Defines the response types that the client is permitted to use. This controls how tokens are issued in response to an authorization request.

public string[][] AllowedResponseTypes { get; set; }

Property Value

System.String[][]

ClientInfo.AllowedScopes Property

The scope values the client is allowed to request per RFC 7591 Section 2.

public string[]? AllowedScopes { get; set; }

Property Value

System.String[]

ClientInfo.ApplicationType Property

Describes the type of application represented by the client, such as "web" or "native".

public string ApplicationType { get; set; }

Property Value

System.String

ClientInfo.AuthorizationCodeExpiresIn Property

The validity period of an authorization code issued to this client. Shorter durations are recommended for higher security.

public System.TimeSpan AuthorizationCodeExpiresIn { get; set; }

Property Value

System.TimeSpan

ClientInfo.AuthorizationDetailsTypes Property

RFC 9396 §5.1: the client's per-client allowlist of authorization-detail type values it may use in authorization_details requests. DCR-exposed (authorization_details_types). Semantics:

  • null — no per-client constraint; the client may use any type the server understands.
  • Empty array — the client cannot use RAR; every authorization_details entry is rejected at request time regardless of type.
  • Non-empty array — only the listed type values are accepted for this client; entries with other types are rejected with invalid_authorization_details.
public string[]? AuthorizationDetailsTypes { get; set; }

Property Value

System.String[]

ClientInfo.AuthorizationEncryptedResponseAlgorithm Property

JARM (authorization_encrypted_response_alg): the JWE key-management algorithm used to encrypt authorization responses for this client. When set, the signed response JWT is additionally encrypted (a Nested JWT). null means no encryption is performed.

public string? AuthorizationEncryptedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.AuthorizationEncryptedResponseEncryption Property

JARM (authorization_encrypted_response_enc): the JWE content-encryption algorithm used to encrypt authorization responses for this client. Only meaningful when AuthorizationEncryptedResponseAlgorithm is set.

public string? AuthorizationEncryptedResponseEncryption { get; set; }

Property Value

System.String

ClientInfo.AuthorizationSignedResponseAlgorithm Property

JARM (authorization_signed_response_alg): the JWS algorithm used to sign authorization responses packed into a JWT for this client. Defaults to RS256 per JARM §3; the algorithm none is not permitted. Only consulted when the client requests a JWT response mode.

public string AuthorizationSignedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.BackChannelAuthenticationRequestSigningAlg Property

The signing algorithm used for backchannel authentication requests sent to this client.

public string? BackChannelAuthenticationRequestSigningAlg { get; set; }

Property Value

System.String

ClientInfo.BackChannelClientNotificationEndpoint Property

The endpoint where backchannel client notifications are sent for this client.

public System.Uri? BackChannelClientNotificationEndpoint { get; set; }

Property Value

System.Uri

ClientInfo.BackChannelLogout Property

Options for configuring back-channel logout behavior, enabling the server to directly notify the client of logout events.

public Abblix.Oidc.Server.Common.Configuration.BackChannelLogoutOptions? BackChannelLogout { get; set; }

Property Value

BackChannelLogoutOptions

ClientInfo.BackChannelTokenDeliveryMode Property

The backchannel token delivery mode to be used by this client. This determines how tokens are delivered during backchannel authentication.

public string? BackChannelTokenDeliveryMode { get; set; }

Property Value

System.String

ClientInfo.BackChannelUserCodeParameter Property

Indicates whether the backchannel authentication process supports user codes for this client.

public bool BackChannelUserCodeParameter { get; set; }

Property Value

System.Boolean

ClientInfo.ClientId Property

Identifies the client's unique identifier as recognized by the authorization server. It is used in various OAuth 2.0 and OpenID Connect flows to represent the client application.

public string ClientId { get; set; }

Property Value

System.String

ClientInfo.ClientName Property

A human-readable name for the client application, which can be displayed to users during the authorization process.

public string? ClientName { get; set; }

Property Value

System.String

ClientInfo.ClientSecrets Property

A collection of secrets associated with the client, used for authenticating the client to the authorization server. Multiple secrets can be provided for added security.

public Abblix.Oidc.Server.Features.ClientInformation.ClientSecret[]? ClientSecrets { get; set; }

Property Value

ClientSecret[]

ClientInfo.ClientType Property

Classifies the client based on its ability to securely maintain a client secret. Derived from TokenEndpointAuthMethod: none yields Public; any other authentication method (secrets, keys, certificates) yields Confidential.

public Abblix.Oidc.Server.Common.Constants.ClientType ClientType { get; }

Property Value

ClientType

ClientInfo.ClientUri Property

A URL pointing to a web page providing information about the client application. This is typically used to offer additional context to users during the authorization process.

public System.Uri? ClientUri { get; set; }

Property Value

System.Uri

ClientInfo.Contacts Property

An array of contact email addresses associated with the client, primarily used for support purposes.

public string[]? Contacts { get; set; }

Property Value

System.String[]

ClientInfo.DefaultAcrValues Property

Specifies the default Authentication Context Class Reference (ACR) values for the client. These values indicate the types of authentication methods or levels of assurance required.

public string[]? DefaultAcrValues { get; set; }

Property Value

System.String[]

ClientInfo.DefaultMaxAge Property

The maximum time in seconds since the user's authentication that the client accepts. Requests exceeding this time will require re-authentication of the user.

public System.Nullable<System.TimeSpan> DefaultMaxAge { get; set; }

Property Value

System.Nullable<System.TimeSpan>

ClientInfo.ExpiresAfter Property

Expiration time for this dynamically registered client in distributed cache. If not set, the default expiration configured in the server settings is used. Implements pseudo-sliding expiration: TTL is reset on each access.

public System.Nullable<System.TimeSpan> ExpiresAfter { get; set; }

Property Value

System.Nullable<System.TimeSpan>

ClientInfo.ForceAuthorizationDetailsInIdentityToken Property

When true, the authorization_details claim is emitted on the ID token for this client in addition to the access token and introspection response. Default false. RFC 9396 is silent on id_token; default-off preserves role separation between identity assertion (id_token) and authorization payload (access token + introspection). Host-controlled behavioural extension — NOT exposed via DCR (no OIDC wire metadata for this), mirroring the ForceUserClaimsInIdentityToken precedent.

public bool ForceAuthorizationDetailsInIdentityToken { get; set; }

Property Value

System.Boolean

ClientInfo.ForceUserClaimsInIdentityToken Property

Controls whether claims about the authenticated user are included directly in the identity token instead of being obtained separately via the UserInfo endpoint.

public bool ForceUserClaimsInIdentityToken { get; set; }

Property Value

System.Boolean

ClientInfo.FrontChannelLogout Property

Options for configuring front-channel logout behavior, allowing the client to participate in logout requests initiated by other clients.

public Abblix.Oidc.Server.Common.Configuration.FrontChannelLogoutOptions? FrontChannelLogout { get; set; }

Property Value

FrontChannelLogoutOptions

ClientInfo.IdentityTokenEncryptedResponseAlgorithm Property

Specifies the algorithm used to encrypt identity tokens issued to the client.

public string? IdentityTokenEncryptedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.IdentityTokenEncryptedResponseEncryption Property

Specifies the encryption method used to encrypt identity tokens issued to the client.

public string? IdentityTokenEncryptedResponseEncryption { get; set; }

Property Value

System.String

ClientInfo.IdentityTokenExpiresIn Property

Determines the validity period of identity tokens issued to this client. Shorter durations enhance security by reducing the window of misuse.

public System.TimeSpan IdentityTokenExpiresIn { get; set; }

Property Value

System.TimeSpan

ClientInfo.IdentityTokenSignedResponseAlgorithm Property

Specifies the algorithm that must be used for signing identity token responses issued to this client. Per Back-Channel Logout 1.0 §2.4 logout tokens are signed in the same manner as ID Tokens, so this value also serves as the default signing algorithm for back-channel logout tokens unless LogoutTokenSignedResponseAlgorithm overrides it.

public string IdentityTokenSignedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.InitiateLoginUri Property

A URI that allows third-party sites to initiate a login by the client, facilitating integrations and single sign-on scenarios.

public System.Uri? InitiateLoginUri { get; set; }

Property Value

System.Uri

ClientInfo.IntrospectionEncryptedResponseAlgorithm Property

RFC 9701 (introspection_encrypted_response_alg): the key-management algorithm used to encrypt introspection-response JWTs returned to the client.

public string? IntrospectionEncryptedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.IntrospectionEncryptedResponseEncryption Property

RFC 9701 (introspection_encrypted_response_enc): the content-encryption algorithm used to encrypt introspection-response JWTs returned to the client.

public string? IntrospectionEncryptedResponseEncryption { get; set; }

Property Value

System.String

ClientInfo.IntrospectionSignedResponseAlgorithm Property

RFC 9701 (introspection_signed_response_alg): the JWS algorithm used to sign introspection responses returned to this client as a JWT. None (the default) means the client receives a plain JSON introspection response; any other value opts the client into a signed JWT response.

public string IntrospectionSignedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.Jwks Property

The set of JSON Web Keys used by the client, typically for signing request objects and decrypting identity tokens or encrypted user information.

public Abblix.Jwt.JsonWebKeySet? Jwks { get; set; }

Property Value

JsonWebKeySet

ClientInfo.JwksUri Property

The publicly accessible URL where the client's JSON Web Key Set (JWKS) can be retrieved.

public System.Uri? JwksUri { get; set; }

Property Value

System.Uri

ClientInfo.LogoUri Property

A URL pointing to an image file representing the client's logo, which can be displayed in user interfaces during authorization.

public System.Uri? LogoUri { get; set; }

Property Value

System.Uri

ClientInfo.LogoutTokenSignedResponseAlgorithm Property

The algorithm used to sign back-channel logout tokens issued to this client. When null (the default), the value of IdentityTokenSignedResponseAlgorithm applies — Back-Channel Logout 1.0 §2.4 signs logout tokens in the same manner as ID Tokens, and this property makes that otherwise implicit coupling visible and overridable per client. There is no registered DCR metadata parameter for it, so the override is host-side configuration only.

public string? LogoutTokenSignedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.OfflineAccessAllowed Property

Allows the client to request tokens that enable access to the user's resources while they’re offline.

public System.Nullable<bool> OfflineAccessAllowed { get; set; }

Property Value

System.Nullable<System.Boolean>

ClientInfo.ParseLoginHintTokenAsJwt Property

Indicates whether the login hint token should be parsed and validated as a JSON Web Token (JWT).

public bool ParseLoginHintTokenAsJwt { get; set; }

Property Value

System.Boolean

Remarks

If this property is set to false, it means the login hint token is not in JWT format. In this case, the client is responsible for parsing and validating the token as part of the validation flow, as the authorization server will not handle its validation automatically.

ClientInfo.PkceRequired Property

Indicates whether the client is to use Proof Key for Code Exchange (PKCE) in the authorization code flow, enhancing security for public clients.

public System.Nullable<bool> PkceRequired { get; set; }

Property Value

System.Nullable<System.Boolean>

ClientInfo.PlainPkceAllowed Property

Indicates if the client is allowed to use the "plain" method for PKCE. It is recommended to use stronger methods like "S256" for enhanced security.

public bool PlainPkceAllowed { get; set; }

Property Value

System.Boolean

ClientInfo.PolicyUri Property

A URL pointing to the client's policy documentation, providing transparency on how user data is handled and protected.

public System.Uri? PolicyUri { get; set; }

Property Value

System.Uri

ClientInfo.PostLogoutRedirectUris Property

Specifies the URIs where the user-agent can be redirected after logging out from the client application. This allows for a seamless user experience upon logout.

public System.Uri[] PostLogoutRedirectUris { get; set; }

Property Value

System.Uri[]

ClientInfo.RedirectUris Property

Specifies the URIs where the user-agent can be redirected after authorization. These URIs must be pre-registered and match the redirect URI provided in the authorization request.

public System.Uri[] RedirectUris { get; set; }

Property Value

System.Uri[]

ClientInfo.RefreshToken Property

Configures the behavior and properties of refresh tokens issued to this client, such as their expiration and renewal policies.

public Abblix.Oidc.Server.Common.Configuration.RefreshTokenOptions RefreshToken { get; set; }

Property Value

RefreshTokenOptions

ClientInfo.RequestObjectEncryptionAlgorithm Property

Specifies the algorithm required for encrypting request objects sent to the authorization server.

public string? RequestObjectEncryptionAlgorithm { get; set; }

Property Value

System.String

ClientInfo.RequestObjectEncryptionMethod Property

Specifies the encryption method required for encrypting request objects sent to the authorization server.

public string? RequestObjectEncryptionMethod { get; set; }

Property Value

System.String

ClientInfo.RequestObjectSigningAlgorithm Property

Specifies the algorithm required for signing request objects sent to the authorization server.

public string? RequestObjectSigningAlgorithm { get; set; }

Property Value

System.String

ClientInfo.RequestUris Property

The list of allowed URI values to validate the request_uri parameter in authorization requests.

public System.Uri[] RequestUris { get; set; }

Property Value

System.Uri[]

Remarks

The request_uri parameter references a pre-hosted authorization request object. This property specifies the valid URIs that can be included in the request_uri parameter. By defining this list, the server ensures that only pre-approved and secure URIs are accepted, mitigating risks such as unauthorized or malicious requests.

ClientInfo.RequireAuthTime Property

Indicates whether the authorization server must include the `auth_time` claim in the ID token.

public System.Nullable<bool> RequireAuthTime { get; set; }

Property Value

System.Nullable<System.Boolean>

ClientInfo.RequireDPoP Property

RFC 9449 §5.2 client metadata (dpop_bound_access_tokens): when true, the client MUST present a valid DPoP proof on the token endpoint and the issued access token will be DPoP-bound (cnf.jkt). When false, DPoP is opportunistic — a valid proof still binds the token, otherwise a Bearer token is issued.

public bool RequireDPoP { get; set; }

Property Value

System.Boolean

ClientInfo.RequirePushedAuthorizationRequests Property

RFC 9126 §6 client metadata (require_pushed_authorization_requests): when true, a pushed authorization request is the only way this client may start an authorization flow — a request arriving at the authorization endpoint without a PAR-issued request URI is rejected even when the server-wide requirement is off. FAPI-grade clients set this so a granular server-side toggle cannot silently weaken them.

public bool RequirePushedAuthorizationRequests { get; set; }

Property Value

System.Boolean

ClientInfo.RequireSignedRequestObject Property

RFC 9101 §10.5 client metadata (require_signed_request_object): when true, this client must deliver its authorization request parameters as a signed request object (via the request parameter or a pushed authorization request) — plain-parameter requests and unsigned request objects are rejected.

public bool RequireSignedRequestObject { get; set; }

Property Value

System.Boolean

ClientInfo.SectorIdentifier Property

Used in conjunction with pairwise subject identifiers to calculate the subject value returned to the client. This field is particularly relevant to ensuring user privacy by providing a different subject identifier to each client, even if it's the same end-user. It typically contains a URL or a unique identifier representing the client's sector.

public string? SectorIdentifier { get; set; }

Property Value

System.String

ClientInfo.SecurityProfile Property

The named security profile this client is held to. Fapi2 forces the FAPI 2.0 control bundle (PKCE restricted to S256, Pushed Authorization Requests, sender-constrained tokens, code-only responses) on the client and prevents the individual toggles above from weakening it. None is an explicit opt-out that leaves the client governed by those individual toggles alone, overriding any server-wide default. null (the default) means the client states no preference and inherits DefaultSecurityProfile — which is itself None unless the deployment sets a server-wide profile, so existing clients are unaffected.

public System.Nullable<Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile> SecurityProfile { get; set; }

Property Value

System.Nullable<ClientSecurityProfile>

ClientInfo.SoftwareId Property

A unique identifier for the client software per RFC 7591 Section 2.

public string? SoftwareId { get; set; }

Property Value

System.String

ClientInfo.SoftwareVersion Property

A version identifier for the client software per RFC 7591 Section 2.

public string? SoftwareVersion { get; set; }

Property Value

System.String

ClientInfo.SubjectType Property

Specifies the subject identifier type requested by the client. This influences how the authorization server represents the authenticated user's identity to the client, affecting privacy and uniqueness across different clients. Common types include "public" and "pairwise".

public string? SubjectType { get; set; }

Property Value

System.String

ClientInfo.TermsOfServiceUri Property

A URL pointing to the client's terms of service, outlining the legal agreement between the user and the service provider.

public System.Uri? TermsOfServiceUri { get; set; }

Property Value

System.Uri

ClientInfo.TlsClientAuth Property

TLS client authentication metadata (RFC 8705) for tls_client_auth method.

public Abblix.Oidc.Server.Features.ClientInformation.TlsClientAuthOptions? TlsClientAuth { get; set; }

Property Value

TlsClientAuthOptions

ClientInfo.TlsClientCertificateBoundAccessTokens Property

RFC 8705 §3.4 client metadata (tls_client_certificate_bound_access_tokens): when true, access tokens issued to this client are certificate-bound whenever the token request arrives over mutual TLS — independently of the client authentication method, which is what distinguishes this flag from the implicit binding the mTLS authentication methods already get.

public bool TlsClientCertificateBoundAccessTokens { get; set; }

Property Value

System.Boolean

ClientInfo.TokenEndpointAuthMethod Property

Describes how the client authenticates to the token endpoint per RFC 6749 §2.3 / OIDC Core §9. Common values include client_secret_basic, client_secret_post, private_key_jwt, client_secret_jwt, tls_client_auth (RFC 8705), and none (public clients). Drives the value of ClientType.

public string TokenEndpointAuthMethod { get; set; }

Property Value

System.String

ClientInfo.TokenEndpointAuthSigningAlgorithm Property

Specifies the algorithm used to sign client authentication requests at the token endpoint.

public string? TokenEndpointAuthSigningAlgorithm { get; set; }

Property Value

System.String

ClientInfo.TokenExchangeAllowedAudiences Property

RFC 8693 §2.1 per-client allowlist of audience values this client may request when exchanging a token. The requested audience is written into the issued token's aud claim, so without a constraint a client could mint a token for any target service it names. This allowlist is therefore <b>default-deny</b>, unlike the unconstrained-by-default TokenExchangeAllowedSubjectTokenTypes:

  • null or empty array: the client may not request any audience -- a Token Exchange request carrying one is rejected with invalid_target.
  • Non-empty array: allowlist -- only the listed audience values are accepted; any other is rejected with invalid_target.

A request that omits audience is unaffected.

public string[]? TokenExchangeAllowedAudiences { get; set; }

Property Value

System.String[]

ClientInfo.TokenExchangeAllowedSubjectTokenTypes Property

RFC 8693 §2.1 per-client allowlist of subject_token_type URIs this client may submit to the Token Exchange grant. Independent of AllowedGrantTypes -- a client must have urn:ietf:params:oauth:grant-type:token-exchange in AllowedGrantTypes to invoke the grant, and the requested subject_token_type must additionally satisfy this allowlist.

  • null: no constraint (any of TokenExchangeTokenTypes the AS can validate is accepted).
  • Empty array: forbidden -- every Token Exchange request from this client is rejected with invalid_request regardless of subject_token_type.
  • Non-empty array: allowlist -- only the listed type URIs are accepted; any other is rejected.

Mirrors the AuthorizationDetailsTypes tri-state pattern.

public string[]? TokenExchangeAllowedSubjectTokenTypes { get; set; }

Property Value

System.String[]

ClientInfo.UserInfoEncryptedResponseAlgorithm Property

Specifies the algorithm used to encrypt UserInfo responses returned to the client.

public string? UserInfoEncryptedResponseAlgorithm { get; set; }

Property Value

System.String

ClientInfo.UserInfoEncryptedResponseEncryption Property

Specifies the encryption method used to encrypt UserInfo responses returned to the client.

public string? UserInfoEncryptedResponseEncryption { get; set; }

Property Value

System.String

ClientInfo.UserInfoSignedResponseAlgorithm Property

Determines the algorithm used for signing responses from the UserInfo endpoint. This can enhance the security of transmitted user information.

public string UserInfoSignedResponseAlgorithm { get; set; }

Property Value

System.String