Skip to main content

SecurityProfileRequirements Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.ClientInformation

SecurityProfileRequirements Class

The bundle of controls a ClientSecurityProfile forces on a client, expressed as individual flags the request-pipeline validators consult. This is the single place the profile-to-controls mapping lives, so a validator never needs to know what "FAPI 2.0" means — it only reads the one flag it owns — and adding a future profile touches only Resolve(ClientSecurityProfile).

public sealed record SecurityProfileRequirements : System.IEquatable<Abblix.Oidc.Server.Features.ClientInformation.SecurityProfileRequirements>

Inheritance System.Object → SecurityProfileRequirements

Implements System.IEquatable<SecurityProfileRequirements>

Remarks

Each flag is enforcement-only: it can require a control but never relax one. A profile therefore tightens a client and cannot weaken it, which is the invariant that lets a granular toggle (for example PkceRequired set to false) coexist with a profile without silently downgrading it.

Every flag below names the validator that enforces it. That coupling is documented here on purpose: the enforcement is distributed across the request pipeline, so a new flag added to a profile without a matching consumer would ship silently unenforced. When adding a flag, wire a validator that reads it and a test that proves the control fires.

Properties

SecurityProfileRequirements.RequireCodeResponseTypeOnly Property

The profile permits only the authorization-code response type, rejecting any implicit or hybrid response type that returns a token or id_token from the authorization endpoint. Enforced by Endpoints.Authorization.Validation.FlowTypeValidator at request time and by SecurityProfileConsistency as a fail-loud registration/startup check.

public bool RequireCodeResponseTypeOnly { get; init; }

Property Value

System.Boolean

SecurityProfileRequirements.RequirePkce Property

The profile mandates PKCE on every authorization request, even when the client's own PkceRequired is false. Enforced by Endpoints.Authorization.Validation.PkceValidator.

public bool RequirePkce { get; init; }

Property Value

System.Boolean

SecurityProfileRequirements.RequirePushedAuthorizationRequests Property

The profile requires the client to start every authorization flow through a Pushed Authorization Request, independent of the server-wide RequirePushedAuthorizationRequests flag. Enforced by Endpoints.Authorization.RequestFetching.PushedRequestFetcher.

public bool RequirePushedAuthorizationRequests { get; init; }

Property Value

System.Boolean

SecurityProfileRequirements.RequireS256CodeChallenge Property

The profile restricts the PKCE code challenge method to exactly S256, rejecting both plain and the non-standard S512 extension. FAPI 2.0 names S256, and the IANA "PKCE Code Challenge Methods" registry defines only plain and S256, so a conformance suite never presents S512. Enforced by Endpoints.Authorization.Validation.PkceValidator.

public bool RequireS256CodeChallenge { get; init; }

Property Value

System.Boolean

SecurityProfileRequirements.RequireSenderConstrainedTokens Property

The profile requires a sender-constrained access token, satisfied by either a DPoP proof (RFC 9449) or a certificate-bound token over mutual TLS (RFC 8705 §3). Enforced by Endpoints.Token.Validation.DPoPTokenEndpointValidator.

public bool RequireSenderConstrainedTokens { get; init; }

Property Value

System.Boolean

SecurityProfileRequirements.RequireStrictRequestObjectProcessing Property

The profile requires strict RFC 9101 §6.3 request-object processing: only the parameters inside the request object are used and any parameter passed outside it is ignored, instead of the OpenID Connect Core §6.1 merge behaviour. FAPI 2.0 mandates JWT-Secured Authorization Requests with this exclusivity. Enforced by Features.RequestObject.RequestObjectFetcher.

public bool RequireStrictRequestObjectProcessing { get; init; }

Property Value

System.Boolean

Methods

SecurityProfileRequirements.Effective(Nullable<ClientSecurityProfile>, ClientSecurityProfile) Method

Resolves the profile that actually governs a client: the client's own SecurityProfile when it states one (including an explicit None opt-out), otherwise the server-wide default. A client therefore opts in or out individually, while a single-profile deployment sets the default once and every unprofiled client inherits it.

public static Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile Effective(System.Nullable<Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile> clientProfile, Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile defaultProfile);

Parameters

clientProfile System.Nullable<ClientSecurityProfile>

The profile stated on the client, or null when unset.

defaultProfile ClientSecurityProfile

The server-wide default profile to fall back to.

Returns

ClientSecurityProfile

SecurityProfileRequirements.For(ClientInfo, ClientSecurityProfile) Method

Convenience entry point for the validators: resolves the effective profile for a client and returns its control bundle in one call.

public static Abblix.Oidc.Server.Features.ClientInformation.SecurityProfileRequirements For(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo client, Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile defaultProfile);

Parameters

client ClientInfo

The client whose effective profile is being resolved.

defaultProfile ClientSecurityProfile

The server-wide default profile to fall back to.

Returns

SecurityProfileRequirements

SecurityProfileRequirements.Resolve(ClientSecurityProfile) Method

Returns the control bundle a given profile mandates.

public static Abblix.Oidc.Server.Features.ClientInformation.SecurityProfileRequirements Resolve(Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile profile);

Parameters

profile ClientSecurityProfile

Returns

SecurityProfileRequirements