RefreshTokenSubjectTokenResolver Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.TokenExchange
RefreshTokenSubjectTokenResolver Class
ISubjectTokenResolver for the urn:ietf:params:oauth:token-type:refresh_token
subject type. Refresh tokens issued by this AS are JWT-formatted with typ=rt+jwt; the
resolver validates the JWT, enforces the typ header, and recovers the original
AuthorizedGrant via
AuthorizeByRefreshTokenAsync(JsonWebToken). The grant's subject, scope,
and authorization_details become the exchanged token's starting point.
public sealed class RefreshTokenSubjectTokenResolver : Abblix.Oidc.Server.Features.TokenExchange.ISubjectTokenResolver
Inheritance System.Object → RefreshTokenSubjectTokenResolver
Implements ISubjectTokenResolver
Remarks
Unlike JwtSubjectTokenResolver, this implementation also touches refresh-token storage -- the wire-level string by itself is not enough to recover the issued scope and AD, since the JWT's payload carries only the identifying minimum (jti, exp, sub). The lookup service additionally enforces single-use / rotation semantics in environments that opt in to refresh-token rotation, so a token already redeemed will reject here exactly as it would in the refresh_token grant.
Constructors
RefreshTokenSubjectTokenResolver(IAuthServiceJwtValidator, IRefreshTokenService) Constructor
ISubjectTokenResolver for the urn:ietf:params:oauth:token-type:refresh_token
subject type. Refresh tokens issued by this AS are JWT-formatted with typ=rt+jwt; the
resolver validates the JWT, enforces the typ header, and recovers the original
AuthorizedGrant via
AuthorizeByRefreshTokenAsync(JsonWebToken). The grant's subject, scope,
and authorization_details become the exchanged token's starting point.
public RefreshTokenSubjectTokenResolver(Abblix.Oidc.Server.Features.Tokens.Validation.IAuthServiceJwtValidator jwtValidator, Abblix.Oidc.Server.Features.Tokens.IRefreshTokenService refreshTokenService);
Parameters
jwtValidator IAuthServiceJwtValidator
Validates the refresh-token JWT's signature and lifetime.
refreshTokenService IRefreshTokenService
Resolves the JWT to the original authorised grant.
Remarks
Unlike JwtSubjectTokenResolver, this implementation also touches refresh-token storage -- the wire-level string by itself is not enough to recover the issued scope and AD, since the JWT's payload carries only the identifying minimum (jti, exp, sub). The lookup service additionally enforces single-use / rotation semantics in environments that opt in to refresh-token rotation, so a token already redeemed will reject here exactly as it would in the refresh_token grant.
Methods
RefreshTokenSubjectTokenResolver.ResolveAsync(string, CancellationToken) Method
Parses or looks up the wire-level subjectToken and returns the portable subject context on success, or an OidcError on failure.
public System.Threading.Tasks.Task<Abblix.Utils.Result<Abblix.Oidc.Server.Features.TokenExchange.SubjectTokenContext,Abblix.Oidc.Server.Common.OidcError>> ResolveAsync(string subjectToken, System.Threading.CancellationToken cancellationToken);
Parameters
subjectToken System.String
The exact subject_token string from the wire.
cancellationToken System.Threading.CancellationToken
Cancellation token.
Implements ResolveAsync(string, CancellationToken)
Returns
System.Threading.Tasks.Task<Abblix.Utils.Result<SubjectTokenContext,OidcError>>
The resolved subject context on success; an OIDC error describing the
rejection reason on failure. The handler maps every failure to wire-level
invalid_request per RFC 8693 §2.2.2.