Skip to main content

Abblix.Oidc.Server.Features.SecureHttpFetch Namespace

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.SecureHttpFetch Namespace

Classes
CachingSecureHttpFetcherDecoratorA decorator for ISecureHttpFetcher that adds caching capabilities. Caches successful responses for the configured duration to reduce network calls and improve performance.
ErrorFactoryA static factory class for creating OIDC error instances related to secure HTTP fetching operations.
SecureHttpFetcherSecurely fetches content from external URIs with SSRF protection. This class should be registered with AddHttpClient for proper HTTP client configuration.
SecureHttpFetcherExtensionsProvides reusable functionality for fetching JSON Web Key Sets (JWKS) from remote URIs with SSRF protection and consistent error handling.
SecureHttpFetchOptionsConfiguration options for secure HTTP fetching with SSRF protection.
SecureUriValidatorDefault ISecureUriValidator implementation: applies the scheme allow-list and the internal-hostname / private-or-reserved IP-literal rules from SecureHttpFetchOptions.
SsrfHttpClientServiceCollectionExtensionsRegisters HTTP clients that initiate requests to client-supplied URLs (CIBA notification endpoints, back-channel logout URIs, JWKS/issuer fetches). Every such client must route through SsrfValidatingHttpMessageHandler; bundling the handler with the client registration makes it impossible to add a new outbound client that silently skips SSRF protection.
SsrfValidatingHttpMessageHandlerHTTP message handler that prevents SSRF attacks through comprehensive validation: 1. Hostname-based blocking (localhost, internal, .local TLDs, etc.) 2. DNS resolution and IP-based blocking (private ranges, loopback, link-local) 3. Re-validation immediately before HTTP request to prevent DNS rebinding (TOCTOU attacks)
Interfaces
ISecureHttpFetcherDefines a contract for securely fetching content from external URIs with SSRF protection.
ISecureUriValidatorApplies the synchronous portion of the SSRF policy (scheme allow-list, internal-hostname and private/reserved IP-literal blocking) configured by SecureHttpFetchOptions to a URI. Used both by the outbound HTTP handler immediately before a request and at registration time to reject client-supplied URIs the server would later fetch (e.g. a back-channel logout endpoint).