SubjectTokenContext Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.TokenExchange
SubjectTokenContext Class
The portable state extracted by an ISubjectTokenResolver from a wire-level
subject_token. Independent of the token's on-wire format -- JWT-based resolvers parse
the payload, opaque-token resolvers recover the equivalent fields from a previously stored
grant. The TokenExchangeGrantHandler consumes this record to
synthesise the new AuthorizationContext and
AuthSession.
public sealed record SubjectTokenContext : System.IEquatable<Abblix.Oidc.Server.Features.TokenExchange.SubjectTokenContext>
Inheritance System.Object → SubjectTokenContext
Implements System.IEquatable<SubjectTokenContext>
Constructors
SubjectTokenContext(string, string, string[], JsonArray) Constructor
The portable state extracted by an ISubjectTokenResolver from a wire-level
subject_token. Independent of the token's on-wire format -- JWT-based resolvers parse
the payload, opaque-token resolvers recover the equivalent fields from a previously stored
grant. The TokenExchangeGrantHandler consumes this record to
synthesise the new AuthorizationContext and
AuthSession.
public SubjectTokenContext(string Subject, string? Issuer, string[]? Scope, System.Text.Json.Nodes.JsonArray? AuthorizationDetails);
Parameters
Subject System.String
The end-user identifier the subject_token represents (RFC 7519 sub
claim or its opaque-token equivalent). Required.
Issuer System.String
The party that issued the subject_token, used as the
IdentityProvider on the synthesised AuthSession. null when the resolver
cannot determine it (e.g. opaque tokens without an issuer field).
Scope System.String[]
Scopes the subject_token was granted. The grant handler intersects this
with any scope the client supplied in the exchange request (RFC 8693 §2.1 narrow
only -- never widen). null when the subject_token did not carry a scope claim.
AuthorizationDetails System.Text.Json.Nodes.JsonArray
RFC 9396 authorization_details attached to the
subject_token, raw System.Text.Json.Nodes.JsonArray so the byte-exact payload survives the exchange
into the issued token. null when the subject_token did not carry AD.
Properties
SubjectTokenContext.Act Property
RFC 8693 §4.1 act claim attached to the subject_token, captured as
a raw System.Text.Json.Nodes.JsonObject. When the exchange adds a new actor on top of a subject_token
that already had its own act chain, the grant handler nests this value under the new actor's
act member so the full delegation chain is preserved. null when the
subject_token was not itself a delegation token.
public System.Text.Json.Nodes.JsonObject? Act { get; init; }
Property Value
System.Text.Json.Nodes.JsonObject
SubjectTokenContext.AuthorizationDetails Property
RFC 9396 authorization_details attached to the
subject_token, raw System.Text.Json.Nodes.JsonArray so the byte-exact payload survives the exchange
into the issued token. null when the subject_token did not carry AD.
public System.Text.Json.Nodes.JsonArray? AuthorizationDetails { get; init; }
Property Value
System.Text.Json.Nodes.JsonArray
SubjectTokenContext.Issuer Property
The party that issued the subject_token, used as the
IdentityProvider on the synthesised AuthSession. null when the resolver
cannot determine it (e.g. opaque tokens without an issuer field).
public string? Issuer { get; init; }
Property Value
SubjectTokenContext.JwtTokenType Property
For JWT-formatted subject_tokens, the value of the JWS typ header (e.g. at+jwt,
id+jwt, rt+jwt). The grant handler uses this to detect cross-type confusion --
a JWT minted as an id_token presented under subject_token_type=access_token is
rejected even though both pass signature validation. null when the subject_token is
not a JWT or the typ header was absent.
public string? JwtTokenType { get; init; }
Property Value
SubjectTokenContext.OriginalClientId Property
The client_id the subject_token was originally issued to. The grant handler uses this
to detect cross-client exchange attempts (Client B presenting a token issued to Client A),
which is rejected by default to prevent a confused-deputy escalation. null when the
resolver cannot determine the original client (e.g. opaque tokens without a client_id field
or pre-cross-client-check tokens).
public string? OriginalClientId { get; init; }
Property Value
SubjectTokenContext.Scope Property
Scopes the subject_token was granted. The grant handler intersects this
with any scope the client supplied in the exchange request (RFC 8693 §2.1 narrow
only -- never widen). null when the subject_token did not carry a scope claim.
public string[]? Scope { get; init; }
Property Value
SubjectTokenContext.Subject Property
The end-user identifier the subject_token represents (RFC 7519 sub
claim or its opaque-token equivalent). Required.
public string Subject { get; init; }