Skip to main content

RefreshTokenSubjectTokenResolver Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.TokenExchange

RefreshTokenSubjectTokenResolver Class

ISubjectTokenResolver for the urn:ietf:params:oauth:token-type:refresh_token subject type. Refresh tokens issued by this AS are JWT-formatted with typ=rt+jwt; the resolver validates the JWT, enforces the typ header, and recovers the original AuthorizedGrant via AuthorizeByRefreshTokenAsync(JsonWebToken). The grant's subject, scope, and authorization_details become the exchanged token's starting point.

public sealed class RefreshTokenSubjectTokenResolver : Abblix.Oidc.Server.Features.TokenExchange.ISubjectTokenResolver

Inheritance System.Object → RefreshTokenSubjectTokenResolver

Implements ISubjectTokenResolver

Remarks

Unlike JwtSubjectTokenResolver, this implementation also touches refresh-token storage -- the wire-level string by itself is not enough to recover the issued scope and AD, since the JWT's payload carries only the identifying minimum (jti, exp, sub). The lookup service additionally enforces single-use / rotation semantics in environments that opt in to refresh-token rotation, so a token already redeemed will reject here exactly as it would in the refresh_token grant.

Constructors

RefreshTokenSubjectTokenResolver(IAuthServiceJwtValidator, IRefreshTokenService) Constructor

ISubjectTokenResolver for the urn:ietf:params:oauth:token-type:refresh_token subject type. Refresh tokens issued by this AS are JWT-formatted with typ=rt+jwt; the resolver validates the JWT, enforces the typ header, and recovers the original AuthorizedGrant via AuthorizeByRefreshTokenAsync(JsonWebToken). The grant's subject, scope, and authorization_details become the exchanged token's starting point.

public RefreshTokenSubjectTokenResolver(Abblix.Oidc.Server.Features.Tokens.Validation.IAuthServiceJwtValidator jwtValidator, Abblix.Oidc.Server.Features.Tokens.IRefreshTokenService refreshTokenService);

Parameters

jwtValidator IAuthServiceJwtValidator

Validates the refresh-token JWT's signature and lifetime.

refreshTokenService IRefreshTokenService

Resolves the JWT to the original authorised grant.

Remarks

Unlike JwtSubjectTokenResolver, this implementation also touches refresh-token storage -- the wire-level string by itself is not enough to recover the issued scope and AD, since the JWT's payload carries only the identifying minimum (jti, exp, sub). The lookup service additionally enforces single-use / rotation semantics in environments that opt in to refresh-token rotation, so a token already redeemed will reject here exactly as it would in the refresh_token grant.

Methods

RefreshTokenSubjectTokenResolver.ResolveAsync(string, CancellationToken) Method

Parses or looks up the wire-level subjectToken and returns the portable subject context on success, or an OidcError on failure.

public System.Threading.Tasks.Task<Abblix.Utils.Result<Abblix.Oidc.Server.Features.TokenExchange.SubjectTokenContext,Abblix.Oidc.Server.Common.OidcError>> ResolveAsync(string subjectToken, System.Threading.CancellationToken cancellationToken);

Parameters

subjectToken System.String

The exact subject_token string from the wire.

cancellationToken System.Threading.CancellationToken

Cancellation token.

Implements ResolveAsync(string, CancellationToken)

Returns

System.Threading.Tasks.Task<Abblix.Utils.Result<SubjectTokenContext,OidcError>>
The resolved subject context on success; an OIDC error describing the rejection reason on failure. The handler maps every failure to wire-level invalid_request per RFC 8693 §2.2.2.