IAuthorizationDetailsPolicy Interface
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.RichAuthorizationRequests
IAuthorizationDetailsPolicy Interface
Single request-time entry point for the RFC 9396 authorization_details policy: per-client allowlist (§5.1) plus per-type composite dispatch (§5). Endpoint-side adapters delegate here so /authorize, /par, CIBA and device-flow share one policy source.
public interface IAuthorizationDetailsPolicy
Remarks
Registered unconditionally by AddRichAuthorizationRequests(this IServiceCollection) so the server boots cleanly with zero IAuthorizationDetailValidator implementations registered. Per RFC 9396 §5 (the AS MUST refuse unknown types), an empty registry rejects every RAR-bearing request — this is conformance-mandatory, not a configurable policy.
Methods
IAuthorizationDetailsPolicy.ApplyAsync(JsonArray, ClientInfo, CancellationToken) Method
Full RFC 9396 §5 + §5.1 request-time validation entry point. Takes the raw authorization_details array as it landed on the wire, applies the per-client allowlist, dispatches each typed entry to its keyed IAuthorizationDetailValidator, and returns the validated raw array for the pipeline to forward.
System.Threading.Tasks.Task<Abblix.Utils.Result<System.Text.Json.Nodes.JsonArray?,Abblix.Oidc.Server.Common.OidcError>> ApplyAsync(System.Text.Json.Nodes.JsonArray? raw, Abblix.Oidc.Server.Features.ClientInformation.ClientInfo client, System.Threading.CancellationToken token);
Parameters
raw System.Text.Json.Nodes.JsonArray
The raw authorization_details array off the wire, or
null / empty when the request did not carry one.
client ClientInfo
The authenticated client; AuthorizationDetailsTypes drives the allowlist branch.
token System.Threading.CancellationToken
Cancellation token forwarded to per-type validators.
Returns
System.Threading.Tasks.Task<Abblix.Utils.Result<System.Text.Json.Nodes.JsonArray,OidcError>>
On success — the raw System.Text.Json.Nodes.JsonArray that survived validation (or null
when the input was null / empty / contained no typed entries — there is nothing to
forward in that case). On failure — a fully-formed OidcError with
error = invalid_authorization_details (RFC 9396 §5) and the rejection
description; the endpoint adapter forwards it as-is when its error type is
OidcError, or re-wraps the description otherwise.
Remarks
The returned System.Text.Json.Nodes.JsonArray reflects the post-validation set: when per-type
validators leave their inputs untouched it is byte-equivalent to the input, but when
a validator narrows / extends per RFC 9396 §5 (e.g. a consent-UI slider, an AS-policy
cap, or canonicalisation), the mutation surfaces here and the pipeline forwards the
post-validation shape into AuthorizationContext — token emission reflects what
was actually granted, not the original request.