Skip to main content

SubjectTokenContext Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.TokenExchange

SubjectTokenContext Class

The portable state extracted by an ISubjectTokenResolver from a wire-level subject_token. Independent of the token's on-wire format -- JWT-based resolvers parse the payload, opaque-token resolvers recover the equivalent fields from a previously stored grant. The TokenExchangeGrantHandler consumes this record to synthesise the new AuthorizationContext and AuthSession.

public sealed record SubjectTokenContext : System.IEquatable<Abblix.Oidc.Server.Features.TokenExchange.SubjectTokenContext>

Inheritance System.Object → SubjectTokenContext

Implements System.IEquatable<SubjectTokenContext>

Constructors

SubjectTokenContext(string, string, string[], JsonArray) Constructor

The portable state extracted by an ISubjectTokenResolver from a wire-level subject_token. Independent of the token's on-wire format -- JWT-based resolvers parse the payload, opaque-token resolvers recover the equivalent fields from a previously stored grant. The TokenExchangeGrantHandler consumes this record to synthesise the new AuthorizationContext and AuthSession.

public SubjectTokenContext(string Subject, string? Issuer, string[]? Scope, System.Text.Json.Nodes.JsonArray? AuthorizationDetails);

Parameters

Subject System.String

The end-user identifier the subject_token represents (RFC 7519 sub claim or its opaque-token equivalent). Required.

Issuer System.String

The party that issued the subject_token, used as the IdentityProvider on the synthesised AuthSession. null when the resolver cannot determine it (e.g. opaque tokens without an issuer field).

Scope System.String[]

Scopes the subject_token was granted. The grant handler intersects this with any scope the client supplied in the exchange request (RFC 8693 §2.1 narrow only -- never widen). null when the subject_token did not carry a scope claim.

AuthorizationDetails System.Text.Json.Nodes.JsonArray

RFC 9396 authorization_details attached to the subject_token, raw System.Text.Json.Nodes.JsonArray so the byte-exact payload survives the exchange into the issued token. null when the subject_token did not carry AD.

Properties

SubjectTokenContext.Act Property

RFC 8693 §4.1 act claim attached to the subject_token, captured as a raw System.Text.Json.Nodes.JsonObject. When the exchange adds a new actor on top of a subject_token that already had its own act chain, the grant handler nests this value under the new actor's act member so the full delegation chain is preserved. null when the subject_token was not itself a delegation token.

public System.Text.Json.Nodes.JsonObject? Act { get; init; }

Property Value

System.Text.Json.Nodes.JsonObject

SubjectTokenContext.AuthorizationDetails Property

RFC 9396 authorization_details attached to the subject_token, raw System.Text.Json.Nodes.JsonArray so the byte-exact payload survives the exchange into the issued token. null when the subject_token did not carry AD.

public System.Text.Json.Nodes.JsonArray? AuthorizationDetails { get; init; }

Property Value

System.Text.Json.Nodes.JsonArray

SubjectTokenContext.Issuer Property

The party that issued the subject_token, used as the IdentityProvider on the synthesised AuthSession. null when the resolver cannot determine it (e.g. opaque tokens without an issuer field).

public string? Issuer { get; init; }

Property Value

System.String

SubjectTokenContext.JwtTokenType Property

For JWT-formatted subject_tokens, the value of the JWS typ header (e.g. at+jwt, id+jwt, rt+jwt). The grant handler uses this to detect cross-type confusion -- a JWT minted as an id_token presented under subject_token_type=access_token is rejected even though both pass signature validation. null when the subject_token is not a JWT or the typ header was absent.

public string? JwtTokenType { get; init; }

Property Value

System.String

SubjectTokenContext.OriginalClientId Property

The client_id the subject_token was originally issued to. The grant handler uses this to detect cross-client exchange attempts (Client B presenting a token issued to Client A), which is rejected by default to prevent a confused-deputy escalation. null when the resolver cannot determine the original client (e.g. opaque tokens without a client_id field or pre-cross-client-check tokens).

public string? OriginalClientId { get; init; }

Property Value

System.String

SubjectTokenContext.Scope Property

Scopes the subject_token was granted. The grant handler intersects this with any scope the client supplied in the exchange request (RFC 8693 §2.1 narrow only -- never widen). null when the subject_token did not carry a scope claim.

public string[]? Scope { get; init; }

Property Value

System.String[]

SubjectTokenContext.Subject Property

The end-user identifier the subject_token represents (RFC 7519 sub claim or its opaque-token equivalent). Required.

public string Subject { get; init; }

Property Value

System.String