Skip to main content

JwtBearerIssuerProvider Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.JwtBearer

JwtBearerIssuerProvider Class

Default implementation of IJwtBearerIssuerProvider that loads trusted issuers from JwtBearer configuration, fetches JWKS with SSRF protection, and provides JWT replay protection.

public class JwtBearerIssuerProvider : Abblix.Oidc.Server.Features.JwtBearer.IJwtBearerIssuerProvider

Inheritance System.Object → JwtBearerIssuerProvider

Implements IJwtBearerIssuerProvider

Constructors

JwtBearerIssuerProvider(ILogger<JwtBearerIssuerProvider>, IOptionsMonitor<OidcOptions>, IJwtReplayCache, ISecureHttpFetcher) Constructor

Default implementation of IJwtBearerIssuerProvider that loads trusted issuers from JwtBearer configuration, fetches JWKS with SSRF protection, and provides JWT replay protection.

public JwtBearerIssuerProvider(Microsoft.Extensions.Logging.ILogger<Abblix.Oidc.Server.Features.JwtBearer.JwtBearerIssuerProvider> logger, Microsoft.Extensions.Options.IOptionsMonitor<Abblix.Oidc.Server.Common.Configuration.OidcOptions> oidcOptions, Abblix.Oidc.Server.Features.ReplayPrevention.IJwtReplayCache replayCache, Abblix.Oidc.Server.Features.SecureHttpFetch.ISecureHttpFetcher secureFetcher);

Parameters

logger Microsoft.Extensions.Logging.ILogger<JwtBearerIssuerProvider>

Logger for recording JWKS fetch operations and errors.

oidcOptions Microsoft.Extensions.Options.IOptionsMonitor<OidcOptions>

OIDC configuration options containing JWT Bearer trusted issuers.

replayCache IJwtReplayCache

Cache for JWT replay protection per RFC 7523 Section 5.2.

secureFetcher ISecureHttpFetcher

HTTP fetcher with SSRF protection and JWKS caching.

Fields

JwtBearerIssuerProvider.SecureHttpFetcherKey Field

The keyed service key used to resolve the caching ISecureHttpFetcher for JWKS fetching.

public const string SecureHttpFetcherKey = "JwtBearerJwks";

Field Value

System.String

Properties

JwtBearerIssuerProvider.Options Property

Gets the JWT Bearer configuration options.

public Abblix.Oidc.Server.Common.Configuration.JwtBearerOptions Options { get; }

Implements Options

Property Value

JwtBearerOptions

Methods

JwtBearerIssuerProvider.GetSigningKeysAsync(string) Method

Resolves the signing keys for a trusted issuer by fetching the JWKS from the configured JWKS URI with SSRF (Server-Side Request Forgery) protection.

public System.Collections.Generic.IAsyncEnumerable<Abblix.Jwt.JsonWebKey> GetSigningKeysAsync(string issuer);

Parameters

issuer System.String

The issuer identifier from the JWT's 'iss' claim.

Implements GetSigningKeysAsync(string)

Returns

System.Collections.Generic.IAsyncEnumerable<JsonWebKey>
An async enumerable of JSON Web Keys from the issuer's JWKS endpoint. Returns empty if the issuer is not trusted or if fetching JWKS fails.

Remarks

This implementation: - Looks up the issuer in the trusted issuers configuration - Fetches the JWKS from the configured JwksUri using ISecureHttpFetcher (SSRF protected) - JWKS responses are cached according to JwksCacheDuration - Filters keys to return only those suitable for signature verification - Logs warnings if JWKS fetching fails

JwtBearerIssuerProvider.GetTrustedIssuerAsync(string) Method

Gets the full configuration for a trusted issuer.

public System.Threading.Tasks.Task<Abblix.Oidc.Server.Common.Configuration.TrustedIssuer?> GetTrustedIssuerAsync(string issuer);

Parameters

issuer System.String

The issuer identifier from the JWT's 'iss' claim.

Implements GetTrustedIssuerAsync(string)

Returns

System.Threading.Tasks.Task<TrustedIssuer>
A task that completes with the trusted issuer configuration if found; null if not trusted.

JwtBearerIssuerProvider.IsReplayedAsync(string, Nullable<DateTimeOffset>) Method

Atomically records the JWT's JTI for replay protection and reports whether it had already been recorded. The entry is kept until the assertion's own expiration, so a JWT cannot be replayed for any part of its validity window.

public System.Threading.Tasks.Task<bool> IsReplayedAsync(string jti, System.Nullable<System.DateTimeOffset> expiresAt);

Parameters

jti System.String

The JWT ID (jti claim) to reserve.

expiresAt System.Nullable<System.DateTimeOffset>

The assertion's expiration; bounds how long the JTI is remembered.

Implements IsReplayedAsync(string, Nullable<DateTimeOffset>)

Returns

System.Threading.Tasks.Task<System.Boolean>
True if this JTI was already recorded (a replay); false if it was recorded just now.

JwtBearerIssuerProvider.IsTrustedIssuerAsync(string) Method

Determines whether the specified issuer is trusted for JWT Bearer assertions. Checks against the configured list of trusted issuers in JwtBearer.

public System.Threading.Tasks.Task<bool> IsTrustedIssuerAsync(string issuer);

Parameters

issuer System.String

The issuer identifier from the JWT's 'iss' claim.

Implements IsTrustedIssuerAsync(string)

Returns

System.Threading.Tasks.Task<System.Boolean>
A task that completes with true if the issuer is in the trusted issuers list; otherwise, false.