Skip to main content

IAuthorizationDetailsPolicy Interface

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.RichAuthorizationRequests

IAuthorizationDetailsPolicy Interface

Single request-time entry point for the RFC 9396 authorization_details policy: per-client allowlist (§5.1) plus per-type composite dispatch (§5). Endpoint-side adapters delegate here so /authorize, /par, CIBA and device-flow share one policy source.

public interface IAuthorizationDetailsPolicy

Remarks

Registered unconditionally by AddRichAuthorizationRequests(this IServiceCollection) so the server boots cleanly with zero IAuthorizationDetailValidator implementations registered. Per RFC 9396 §5 (the AS MUST refuse unknown types), an empty registry rejects every RAR-bearing request — this is conformance-mandatory, not a configurable policy.

Methods

IAuthorizationDetailsPolicy.ApplyAsync(JsonArray, ClientInfo, CancellationToken) Method

Full RFC 9396 §5 + §5.1 request-time validation entry point. Takes the raw authorization_details array as it landed on the wire, applies the per-client allowlist, dispatches each typed entry to its keyed IAuthorizationDetailValidator, and returns the validated raw array for the pipeline to forward.

System.Threading.Tasks.Task<Abblix.Utils.Result<System.Text.Json.Nodes.JsonArray?,Abblix.Oidc.Server.Common.OidcError>> ApplyAsync(System.Text.Json.Nodes.JsonArray? raw, Abblix.Oidc.Server.Features.ClientInformation.ClientInfo client, System.Threading.CancellationToken token);

Parameters

raw System.Text.Json.Nodes.JsonArray

The raw authorization_details array off the wire, or null / empty when the request did not carry one.

client ClientInfo

The authenticated client; AuthorizationDetailsTypes drives the allowlist branch.

token System.Threading.CancellationToken

Cancellation token forwarded to per-type validators.

Returns

System.Threading.Tasks.Task<Abblix.Utils.Result<System.Text.Json.Nodes.JsonArray,OidcError>>
On success — the raw System.Text.Json.Nodes.JsonArray that survived validation (or null when the input was null / empty / contained no typed entries — there is nothing to forward in that case). On failure — a fully-formed OidcError with error = invalid_authorization_details (RFC 9396 §5) and the rejection description; the endpoint adapter forwards it as-is when its error type is OidcError, or re-wraps the description otherwise.

Remarks

The returned System.Text.Json.Nodes.JsonArray reflects the post-validation set: when per-type validators leave their inputs untouched it is byte-equivalent to the input, but when a validator narrows / extends per RFC 9396 §5 (e.g. a consent-UI slider, an AS-policy cap, or canonicalisation), the mutation surfaces here and the pipeline forwards the post-validation shape into AuthorizationContext — token emission reflects what was actually granted, not the original request.