SecurityProfileRequirements Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.ClientInformation
SecurityProfileRequirements Class
The bundle of controls a ClientSecurityProfile forces on a client, expressed as individual flags the request-pipeline validators consult. This is the single place the profile-to-controls mapping lives, so a validator never needs to know what "FAPI 2.0" means — it only reads the one flag it owns — and adding a future profile touches only Resolve(ClientSecurityProfile).
public sealed record SecurityProfileRequirements : System.IEquatable<Abblix.Oidc.Server.Features.ClientInformation.SecurityProfileRequirements>
Inheritance System.Object → SecurityProfileRequirements
Implements System.IEquatable<SecurityProfileRequirements>
Remarks
Each flag is enforcement-only: it can require a control but never relax one. A profile therefore
tightens a client and cannot weaken it, which is the invariant that lets a granular toggle (for
example PkceRequired set to false) coexist with a profile without
silently downgrading it.
Every flag below names the validator that enforces it. That coupling is documented here on purpose: the enforcement is distributed across the request pipeline, so a new flag added to a profile without a matching consumer would ship silently unenforced. When adding a flag, wire a validator that reads it and a test that proves the control fires.
Properties
SecurityProfileRequirements.RequireCodeResponseTypeOnly Property
The profile permits only the authorization-code response type, rejecting any implicit or
hybrid response type that returns a token or id_token from the authorization endpoint.
Enforced by Endpoints.Authorization.Validation.FlowTypeValidator at request time and
by SecurityProfileConsistency as a fail-loud registration/startup check.
public bool RequireCodeResponseTypeOnly { get; init; }
Property Value
SecurityProfileRequirements.RequirePkce Property
The profile mandates PKCE on every authorization request, even when the client's own
PkceRequired is false. Enforced by
Endpoints.Authorization.Validation.PkceValidator.
public bool RequirePkce { get; init; }
Property Value
SecurityProfileRequirements.RequirePushedAuthorizationRequests Property
The profile requires the client to start every authorization flow through a Pushed
Authorization Request, independent of the server-wide
RequirePushedAuthorizationRequests flag.
Enforced by Endpoints.Authorization.RequestFetching.PushedRequestFetcher.
public bool RequirePushedAuthorizationRequests { get; init; }
Property Value
SecurityProfileRequirements.RequireS256CodeChallenge Property
The profile restricts the PKCE code challenge method to exactly S256, rejecting both
plain and the non-standard S512 extension. FAPI 2.0 names S256, and the
IANA "PKCE Code Challenge Methods" registry defines only plain and S256, so a
conformance suite never presents S512. Enforced by
Endpoints.Authorization.Validation.PkceValidator.
public bool RequireS256CodeChallenge { get; init; }
Property Value
SecurityProfileRequirements.RequireSenderConstrainedTokens Property
The profile requires a sender-constrained access token, satisfied by either a DPoP proof
(RFC 9449) or a certificate-bound token over mutual TLS (RFC 8705 §3). Enforced by
Endpoints.Token.Validation.DPoPTokenEndpointValidator.
public bool RequireSenderConstrainedTokens { get; init; }
Property Value
SecurityProfileRequirements.RequireStrictRequestObjectProcessing Property
The profile requires strict RFC 9101 §6.3 request-object processing: only the parameters inside the
request object are used and any parameter passed outside it is ignored, instead of the OpenID Connect
Core §6.1 merge behaviour. FAPI 2.0 mandates JWT-Secured Authorization Requests with this exclusivity.
Enforced by Features.RequestObject.RequestObjectFetcher.
public bool RequireStrictRequestObjectProcessing { get; init; }
Property Value
Methods
SecurityProfileRequirements.Effective(Nullable<ClientSecurityProfile>, ClientSecurityProfile) Method
Resolves the profile that actually governs a client: the client's own SecurityProfile when it states one (including an explicit None opt-out), otherwise the server-wide default. A client therefore opts in or out individually, while a single-profile deployment sets the default once and every unprofiled client inherits it.
public static Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile Effective(System.Nullable<Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile> clientProfile, Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile defaultProfile);
Parameters
clientProfile System.Nullable<ClientSecurityProfile>
The profile stated on the client, or null when unset.
defaultProfile ClientSecurityProfile
The server-wide default profile to fall back to.
Returns
SecurityProfileRequirements.For(ClientInfo, ClientSecurityProfile) Method
Convenience entry point for the validators: resolves the effective profile for a client and returns its control bundle in one call.
public static Abblix.Oidc.Server.Features.ClientInformation.SecurityProfileRequirements For(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo client, Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile defaultProfile);
Parameters
client ClientInfo
The client whose effective profile is being resolved.
defaultProfile ClientSecurityProfile
The server-wide default profile to fall back to.
Returns
SecurityProfileRequirements.Resolve(ClientSecurityProfile) Method
Returns the control bundle a given profile mandates.
public static Abblix.Oidc.Server.Features.ClientInformation.SecurityProfileRequirements Resolve(Abblix.Oidc.Server.Common.Constants.ClientSecurityProfile profile);