ClientInfo Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.ClientInformation
ClientInfo Class
Contains information about a client in an OAuth2/OpenID Connect context.
public record ClientInfo : System.IEquatable<Abblix.Oidc.Server.Features.ClientInformation.ClientInfo>
Inheritance System.Object → ClientInfo
Implements System.IEquatable<ClientInfo>
Remarks
This record encapsulates the details necessary to identify and configure the behavior of a client application within an OAuth2 or OpenID Connect framework. It includes identifiers, secrets, and configuration options that dictate how the client interacts with the authorization server and is authenticated or authorized during the token issuance process.
Constructors
ClientInfo(string) Constructor
Contains information about a client in an OAuth2/OpenID Connect context.
public ClientInfo(string ClientId);
Parameters
ClientId System.String
Remarks
This record encapsulates the details necessary to identify and configure the behavior of a client application within an OAuth2 or OpenID Connect framework. It includes identifiers, secrets, and configuration options that dictate how the client interacts with the authorization server and is authenticated or authorized during the token issuance process.
Properties
ClientInfo.AccessTokenExpiresIn Property
Specifies the lifetime of access tokens issued to this client. Shorter access token lifetimes reduce the risk of token leakage.
public System.TimeSpan AccessTokenExpiresIn { get; set; }
Property Value
ClientInfo.AllowCrossClientSubjectTokenExchange Property
RFC 8693 §1.3: by default this AS rejects a Token Exchange request where the
subject_token was originally issued to a different client than the one presenting
it -- the "confused deputy" anti-pattern. When this client is intended to operate as an
audit broker / proxy that legitimately receives tokens issued to other clients, set this
to true to opt out of the default check. Has no effect when no subject_token
origin can be determined.
public bool AllowCrossClientSubjectTokenExchange { get; set; }
Property Value
ClientInfo.AllowedGrantTypes Property
Specifies the grant types the client is authorized to use when obtaining tokens from the token endpoint.
public string[] AllowedGrantTypes { get; set; }
Property Value
ClientInfo.AllowedResponseTypes Property
Defines the response types that the client is permitted to use. This controls how tokens are issued in response to an authorization request.
public string[][] AllowedResponseTypes { get; set; }
Property Value
ClientInfo.AllowedScopes Property
The scope values the client is allowed to request per RFC 7591 Section 2.
public string[]? AllowedScopes { get; set; }
Property Value
ClientInfo.ApplicationType Property
Describes the type of application represented by the client, such as "web" or "native".
public string ApplicationType { get; set; }
Property Value
ClientInfo.AuthorizationCodeExpiresIn Property
The validity period of an authorization code issued to this client. Shorter durations are recommended for higher security.
public System.TimeSpan AuthorizationCodeExpiresIn { get; set; }
Property Value
ClientInfo.AuthorizationDetailsTypes Property
RFC 9396 §5.1: the client's per-client allowlist of authorization-detail type
values it may use in authorization_details requests. DCR-exposed
(authorization_details_types). Semantics:
null— no per-client constraint; the client may use anytypethe server understands.- Empty array — the client cannot use RAR; every
authorization_detailsentry is rejected at request time regardless oftype. - Non-empty array — only the listed
typevalues are accepted for this client; entries with other types are rejected withinvalid_authorization_details.
public string[]? AuthorizationDetailsTypes { get; set; }
Property Value
ClientInfo.AuthorizationEncryptedResponseAlgorithm Property
JARM (authorization_encrypted_response_alg): the JWE key-management algorithm used to encrypt
authorization responses for this client. When set, the signed response JWT is additionally encrypted
(a Nested JWT). null means no encryption is performed.
public string? AuthorizationEncryptedResponseAlgorithm { get; set; }
Property Value
ClientInfo.AuthorizationEncryptedResponseEncryption Property
JARM (authorization_encrypted_response_enc): the JWE content-encryption algorithm used to encrypt
authorization responses for this client. Only meaningful when
AuthorizationEncryptedResponseAlgorithm is set.
public string? AuthorizationEncryptedResponseEncryption { get; set; }
Property Value
ClientInfo.AuthorizationSignedResponseAlgorithm Property
JARM (authorization_signed_response_alg): the JWS algorithm used to sign authorization responses
packed into a JWT for this client. Defaults to RS256 per JARM §3; the
algorithm none is not permitted. Only consulted when the client requests a JWT response mode.
public string AuthorizationSignedResponseAlgorithm { get; set; }
Property Value
ClientInfo.BackChannelAuthenticationRequestSigningAlg Property
The signing algorithm used for backchannel authentication requests sent to this client.
public string? BackChannelAuthenticationRequestSigningAlg { get; set; }
Property Value
ClientInfo.BackChannelClientNotificationEndpoint Property
The endpoint where backchannel client notifications are sent for this client.
public System.Uri? BackChannelClientNotificationEndpoint { get; set; }
Property Value
ClientInfo.BackChannelLogout Property
Options for configuring back-channel logout behavior, enabling the server to directly notify the client of logout events.
public Abblix.Oidc.Server.Common.Configuration.BackChannelLogoutOptions? BackChannelLogout { get; set; }
Property Value
ClientInfo.BackChannelTokenDeliveryMode Property
The backchannel token delivery mode to be used by this client. This determines how tokens are delivered during backchannel authentication.
public string? BackChannelTokenDeliveryMode { get; set; }
Property Value
ClientInfo.BackChannelUserCodeParameter Property
Indicates whether the backchannel authentication process supports user codes for this client.
public bool BackChannelUserCodeParameter { get; set; }
Property Value
ClientInfo.ClientId Property
Identifies the client's unique identifier as recognized by the authorization server. It is used in various OAuth 2.0 and OpenID Connect flows to represent the client application.
public string ClientId { get; set; }
Property Value
ClientInfo.ClientName Property
A human-readable name for the client application, which can be displayed to users during the authorization process.
public string? ClientName { get; set; }
Property Value
ClientInfo.ClientSecrets Property
A collection of secrets associated with the client, used for authenticating the client to the authorization server. Multiple secrets can be provided for added security.
public Abblix.Oidc.Server.Features.ClientInformation.ClientSecret[]? ClientSecrets { get; set; }
Property Value
ClientInfo.ClientType Property
Classifies the client based on its ability to securely maintain a client secret. Derived from
TokenEndpointAuthMethod: none yields Public; any
other authentication method (secrets, keys, certificates) yields Confidential.
public Abblix.Oidc.Server.Common.Constants.ClientType ClientType { get; }
Property Value
ClientInfo.ClientUri Property
A URL pointing to a web page providing information about the client application. This is typically used to offer additional context to users during the authorization process.
public System.Uri? ClientUri { get; set; }
Property Value
ClientInfo.Contacts Property
An array of contact email addresses associated with the client, primarily used for support purposes.
public string[]? Contacts { get; set; }
Property Value
ClientInfo.DefaultAcrValues Property
Specifies the default Authentication Context Class Reference (ACR) values for the client. These values indicate the types of authentication methods or levels of assurance required.
public string[]? DefaultAcrValues { get; set; }
Property Value
ClientInfo.DefaultMaxAge Property
The maximum time in seconds since the user's authentication that the client accepts. Requests exceeding this time will require re-authentication of the user.
public System.Nullable<System.TimeSpan> DefaultMaxAge { get; set; }
Property Value
System.Nullable<System.TimeSpan>
ClientInfo.ExpiresAfter Property
Expiration time for this dynamically registered client in distributed cache. If not set, the default expiration configured in the server settings is used. Implements pseudo-sliding expiration: TTL is reset on each access.
public System.Nullable<System.TimeSpan> ExpiresAfter { get; set; }
Property Value
System.Nullable<System.TimeSpan>
ClientInfo.ForceAuthorizationDetailsInIdentityToken Property
When true, the authorization_details claim is emitted on the ID token
for this client in addition to the access token and introspection response. Default
false. RFC 9396 is silent on id_token; default-off preserves role separation
between identity assertion (id_token) and authorization payload (access token +
introspection). Host-controlled behavioural extension — NOT exposed via DCR (no
OIDC wire metadata for this), mirroring the
ForceUserClaimsInIdentityToken precedent.
public bool ForceAuthorizationDetailsInIdentityToken { get; set; }
Property Value
ClientInfo.ForceUserClaimsInIdentityToken Property
Controls whether claims about the authenticated user are included directly in the identity token instead of being obtained separately via the UserInfo endpoint.
public bool ForceUserClaimsInIdentityToken { get; set; }
Property Value
ClientInfo.FrontChannelLogout Property
Options for configuring front-channel logout behavior, allowing the client to participate in logout requests initiated by other clients.
public Abblix.Oidc.Server.Common.Configuration.FrontChannelLogoutOptions? FrontChannelLogout { get; set; }
Property Value
ClientInfo.IdentityTokenEncryptedResponseAlgorithm Property
Specifies the algorithm used to encrypt identity tokens issued to the client.
public string? IdentityTokenEncryptedResponseAlgorithm { get; set; }
Property Value
ClientInfo.IdentityTokenEncryptedResponseEncryption Property
Specifies the encryption method used to encrypt identity tokens issued to the client.
public string? IdentityTokenEncryptedResponseEncryption { get; set; }
Property Value
ClientInfo.IdentityTokenExpiresIn Property
Determines the validity period of identity tokens issued to this client. Shorter durations enhance security by reducing the window of misuse.
public System.TimeSpan IdentityTokenExpiresIn { get; set; }
Property Value
ClientInfo.IdentityTokenSignedResponseAlgorithm Property
Specifies the algorithm that must be used for signing identity token responses issued to this client. Per Back-Channel Logout 1.0 §2.4 logout tokens are signed in the same manner as ID Tokens, so this value also serves as the default signing algorithm for back-channel logout tokens unless LogoutTokenSignedResponseAlgorithm overrides it.
public string IdentityTokenSignedResponseAlgorithm { get; set; }
Property Value
ClientInfo.InitiateLoginUri Property
A URI that allows third-party sites to initiate a login by the client, facilitating integrations and single sign-on scenarios.
public System.Uri? InitiateLoginUri { get; set; }
Property Value
ClientInfo.IntrospectionEncryptedResponseAlgorithm Property
RFC 9701 (introspection_encrypted_response_alg): the key-management algorithm used to encrypt
introspection-response JWTs returned to the client.
public string? IntrospectionEncryptedResponseAlgorithm { get; set; }
Property Value
ClientInfo.IntrospectionEncryptedResponseEncryption Property
RFC 9701 (introspection_encrypted_response_enc): the content-encryption algorithm used to encrypt
introspection-response JWTs returned to the client.
public string? IntrospectionEncryptedResponseEncryption { get; set; }
Property Value
ClientInfo.IntrospectionSignedResponseAlgorithm Property
RFC 9701 (introspection_signed_response_alg): the JWS algorithm used to sign introspection responses
returned to this client as a JWT. None (the default) means the client receives
a plain JSON introspection response; any other value opts the client into a signed JWT response.
public string IntrospectionSignedResponseAlgorithm { get; set; }
Property Value
ClientInfo.Jwks Property
The set of JSON Web Keys used by the client, typically for signing request objects and decrypting identity tokens or encrypted user information.
public Abblix.Jwt.JsonWebKeySet? Jwks { get; set; }
Property Value
ClientInfo.JwksUri Property
The publicly accessible URL where the client's JSON Web Key Set (JWKS) can be retrieved.
public System.Uri? JwksUri { get; set; }
Property Value
ClientInfo.LogoUri Property
A URL pointing to an image file representing the client's logo, which can be displayed in user interfaces during authorization.
public System.Uri? LogoUri { get; set; }
Property Value
ClientInfo.LogoutTokenSignedResponseAlgorithm Property
The algorithm used to sign back-channel logout tokens issued to this client. When null (the default), the value of IdentityTokenSignedResponseAlgorithm applies — Back-Channel Logout 1.0 §2.4 signs logout tokens in the same manner as ID Tokens, and this property makes that otherwise implicit coupling visible and overridable per client. There is no registered DCR metadata parameter for it, so the override is host-side configuration only.
public string? LogoutTokenSignedResponseAlgorithm { get; set; }
Property Value
ClientInfo.OfflineAccessAllowed Property
Allows the client to request tokens that enable access to the user's resources while they’re offline.
public System.Nullable<bool> OfflineAccessAllowed { get; set; }
Property Value
System.Nullable<System.Boolean>
ClientInfo.ParseLoginHintTokenAsJwt Property
Indicates whether the login hint token should be parsed and validated as a JSON Web Token (JWT).
public bool ParseLoginHintTokenAsJwt { get; set; }
Property Value
Remarks
If this property is set to false, it means the login hint token is not in JWT format.
In this case, the client is responsible for parsing and validating the token as part of the validation flow,
as the authorization server will not handle its validation automatically.
ClientInfo.PkceRequired Property
Indicates whether the client is to use Proof Key for Code Exchange (PKCE) in the authorization code flow, enhancing security for public clients.
public System.Nullable<bool> PkceRequired { get; set; }
Property Value
System.Nullable<System.Boolean>
ClientInfo.PlainPkceAllowed Property
Indicates if the client is allowed to use the "plain" method for PKCE. It is recommended to use stronger methods like "S256" for enhanced security.
public bool PlainPkceAllowed { get; set; }
Property Value
ClientInfo.PolicyUri Property
A URL pointing to the client's policy documentation, providing transparency on how user data is handled and protected.
public System.Uri? PolicyUri { get; set; }
Property Value
ClientInfo.PostLogoutRedirectUris Property
Specifies the URIs where the user-agent can be redirected after logging out from the client application. This allows for a seamless user experience upon logout.
public System.Uri[] PostLogoutRedirectUris { get; set; }
Property Value
ClientInfo.RedirectUris Property
Specifies the URIs where the user-agent can be redirected after authorization. These URIs must be pre-registered and match the redirect URI provided in the authorization request.
public System.Uri[] RedirectUris { get; set; }
Property Value
ClientInfo.RefreshToken Property
Configures the behavior and properties of refresh tokens issued to this client, such as their expiration and renewal policies.
public Abblix.Oidc.Server.Common.Configuration.RefreshTokenOptions RefreshToken { get; set; }
Property Value
ClientInfo.RequestObjectEncryptionAlgorithm Property
Specifies the algorithm required for encrypting request objects sent to the authorization server.
public string? RequestObjectEncryptionAlgorithm { get; set; }
Property Value
ClientInfo.RequestObjectEncryptionMethod Property
Specifies the encryption method required for encrypting request objects sent to the authorization server.
public string? RequestObjectEncryptionMethod { get; set; }
Property Value
ClientInfo.RequestObjectSigningAlgorithm Property
Specifies the algorithm required for signing request objects sent to the authorization server.
public string? RequestObjectSigningAlgorithm { get; set; }
Property Value
ClientInfo.RequestUris Property
The list of allowed URI values to validate the request_uri parameter in authorization requests.
public System.Uri[] RequestUris { get; set; }
Property Value
Remarks
The request_uri parameter references a pre-hosted authorization request object.
This property specifies the valid URIs that can be included in the request_uri parameter.
By defining this list, the server ensures that only pre-approved and secure URIs are accepted,
mitigating risks such as unauthorized or malicious requests.
ClientInfo.RequireAuthTime Property
Indicates whether the authorization server must include the `auth_time` claim in the ID token.
public System.Nullable<bool> RequireAuthTime { get; set; }
Property Value
System.Nullable<System.Boolean>
ClientInfo.RequireDPoP Property
RFC 9449 §5.2 client metadata (dpop_bound_access_tokens): when true,
the client MUST present a valid DPoP proof on the token endpoint and the issued
access token will be DPoP-bound (cnf.jkt). When false, DPoP is
opportunistic — a valid proof still binds the token, otherwise a Bearer token is
issued.
public bool RequireDPoP { get; set; }
Property Value
ClientInfo.RequirePushedAuthorizationRequests Property
RFC 9126 §6 client metadata (require_pushed_authorization_requests): when true,
a pushed authorization request is the only way this client may start an authorization flow —
a request arriving at the authorization endpoint without a PAR-issued request URI is rejected
even when the server-wide requirement is off. FAPI-grade clients set this so a granular
server-side toggle cannot silently weaken them.
public bool RequirePushedAuthorizationRequests { get; set; }
Property Value
ClientInfo.RequireSignedRequestObject Property
RFC 9101 §10.5 client metadata (require_signed_request_object): when true,
this client must deliver its authorization request parameters as a signed request object
(via the request parameter or a pushed authorization request) — plain-parameter requests and
unsigned request objects are rejected.
public bool RequireSignedRequestObject { get; set; }
Property Value
ClientInfo.SectorIdentifier Property
Used in conjunction with pairwise subject identifiers to calculate the subject value returned to the client. This field is particularly relevant to ensuring user privacy by providing a different subject identifier to each client, even if it's the same end-user. It typically contains a URL or a unique identifier representing the client's sector.
public string? SectorIdentifier { get; set; }
Property Value
ClientInfo.SecurityProfile Property
The named security profile this client is held to. Fapi2
forces the FAPI 2.0 control bundle (PKCE restricted to S256, Pushed Authorization
Requests, sender-constrained tokens, code-only responses) on the client and prevents the
individual toggles above from weakening it. None is an
explicit opt-out that leaves the client governed by those individual toggles alone, overriding
any server-wide default. null (the default) means the client states no preference and
inherits DefaultSecurityProfile — which is
itself None unless the deployment sets a server-wide
profile, so existing clients are unaffected.
public System.Nullable<Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile> SecurityProfile { get; set; }
Property Value
System.Nullable<ClientSecurityProfile>
ClientInfo.SoftwareId Property
A unique identifier for the client software per RFC 7591 Section 2.
public string? SoftwareId { get; set; }
Property Value
ClientInfo.SoftwareVersion Property
A version identifier for the client software per RFC 7591 Section 2.
public string? SoftwareVersion { get; set; }
Property Value
ClientInfo.SubjectType Property
Specifies the subject identifier type requested by the client. This influences how the authorization server represents the authenticated user's identity to the client, affecting privacy and uniqueness across different clients. Common types include "public" and "pairwise".
public string? SubjectType { get; set; }
Property Value
ClientInfo.TermsOfServiceUri Property
A URL pointing to the client's terms of service, outlining the legal agreement between the user and the service provider.
public System.Uri? TermsOfServiceUri { get; set; }
Property Value
ClientInfo.TlsClientAuth Property
TLS client authentication metadata (RFC 8705) for tls_client_auth method.
public Abblix.Oidc.Server.Features.ClientInformation.TlsClientAuthOptions? TlsClientAuth { get; set; }
Property Value
ClientInfo.TlsClientCertificateBoundAccessTokens Property
RFC 8705 §3.4 client metadata (tls_client_certificate_bound_access_tokens): when
true, access tokens issued to this client are certificate-bound whenever the token
request arrives over mutual TLS — independently of the client authentication method, which
is what distinguishes this flag from the implicit binding the mTLS authentication methods
already get.
public bool TlsClientCertificateBoundAccessTokens { get; set; }
Property Value
ClientInfo.TokenEndpointAuthMethod Property
Describes how the client authenticates to the token endpoint per RFC 6749 §2.3 / OIDC Core §9.
Common values include client_secret_basic, client_secret_post, private_key_jwt,
client_secret_jwt, tls_client_auth (RFC 8705), and none (public clients).
Drives the value of ClientType.
public string TokenEndpointAuthMethod { get; set; }
Property Value
ClientInfo.TokenEndpointAuthSigningAlgorithm Property
Specifies the algorithm used to sign client authentication requests at the token endpoint.
public string? TokenEndpointAuthSigningAlgorithm { get; set; }
Property Value
ClientInfo.TokenExchangeAllowedAudiences Property
RFC 8693 §2.1 per-client allowlist of audience values this client may request when
exchanging a token. The requested audience is written into the issued token's aud
claim, so without a constraint a client could mint a token for any target service it names.
This allowlist is therefore <b>default-deny</b>, unlike the unconstrained-by-default
TokenExchangeAllowedSubjectTokenTypes:
nullor empty array: the client may not request anyaudience-- a Token Exchange request carrying one is rejected withinvalid_target.- Non-empty array: allowlist -- only the listed audience values are accepted;
any other is rejected with
invalid_target.
A request that omits audience is unaffected.
public string[]? TokenExchangeAllowedAudiences { get; set; }
Property Value
ClientInfo.TokenExchangeAllowedSubjectTokenTypes Property
RFC 8693 §2.1 per-client allowlist of subject_token_type URIs this client may submit
to the Token Exchange grant. Independent of AllowedGrantTypes -- a client must
have urn:ietf:params:oauth:grant-type:token-exchange in
AllowedGrantTypes to invoke the grant, and the requested
subject_token_type must additionally satisfy this allowlist.
null: no constraint (any of TokenExchangeTokenTypes the AS can validate is accepted).- Empty array: forbidden -- every Token Exchange request from this client is
rejected with
invalid_requestregardless ofsubject_token_type. - Non-empty array: allowlist -- only the listed type URIs are accepted; any other is rejected.
Mirrors the AuthorizationDetailsTypes tri-state pattern.
public string[]? TokenExchangeAllowedSubjectTokenTypes { get; set; }
Property Value
ClientInfo.UserInfoEncryptedResponseAlgorithm Property
Specifies the algorithm used to encrypt UserInfo responses returned to the client.
public string? UserInfoEncryptedResponseAlgorithm { get; set; }
Property Value
ClientInfo.UserInfoEncryptedResponseEncryption Property
Specifies the encryption method used to encrypt UserInfo responses returned to the client.
public string? UserInfoEncryptedResponseEncryption { get; set; }
Property Value
ClientInfo.UserInfoSignedResponseAlgorithm Property
Determines the algorithm used for signing responses from the UserInfo endpoint. This can enhance the security of transmitted user information.
public string UserInfoSignedResponseAlgorithm { get; set; }