| CachingSecureHttpFetcherDecorator | A decorator for ISecureHttpFetcher that adds caching capabilities. Caches successful responses for the configured duration to reduce network calls and improve performance. |
| ErrorFactory | A static factory class for creating OIDC error instances related to secure HTTP fetching operations. |
| SecureHttpFetcher | Securely fetches content from external URIs with SSRF protection. This class should be registered with AddHttpClient for proper HTTP client configuration. |
| SecureHttpFetcherExtensions | Provides reusable functionality for fetching JSON Web Key Sets (JWKS) from remote URIs with SSRF protection and consistent error handling. |
| SecureHttpFetchOptions | Configuration options for secure HTTP fetching with SSRF protection. |
| SecureUriValidator | Default ISecureUriValidator implementation: applies the scheme allow-list and the internal-hostname / private-or-reserved IP-literal rules from SecureHttpFetchOptions. |
| SsrfHttpClientServiceCollectionExtensions | Registers HTTP clients that initiate requests to client-supplied URLs (CIBA notification endpoints, back-channel logout URIs, JWKS/issuer fetches). Every such client must route through SsrfValidatingHttpMessageHandler; bundling the handler with the client registration makes it impossible to add a new outbound client that silently skips SSRF protection. |
| SsrfValidatingHttpMessageHandler | HTTP message handler that prevents SSRF attacks through comprehensive validation: 1. Hostname-based blocking (localhost, internal, .local TLDs, etc.) 2. DNS resolution and IP-based blocking (private ranges, loopback, link-local) 3. Re-validation immediately before HTTP request to prevent DNS rebinding (TOCTOU attacks) |