| IAccessTokenService | Issues OAuth 2.0 access tokens as signed JWTs (RFC 9068 access-token format) and reverses the mapping by reconstructing the originating AuthSession and AuthorizationContext from the token's claims. |
| IIdentityTokenService | Issues OpenID Connect ID Tokens (OIDC Core §2 and §3.1.3.6) for authenticated end-users, embedding the standard claims of OIDC Core §5.1, the client's nonce, and where applicable the c_hash/at_hash binding claims (OIDC Core §3.1.3.6 and §3.2.2.10) that tie the ID Token to a co-issued authorization code or access token. |
| ILogoutTokenService | Issues OpenID Connect Back-Channel Logout tokens (OIDC Back-Channel Logout 1.0 §2.4): JWTs with an events claim containing the back-channel logout event URI, addressed to a specific RP and identifying the affected end-user via sub and/or sid. The nonce claim is prohibited per the specification. |
| IRefreshTokenService | Issues and consumes OAuth 2.0 refresh tokens (RFC 6749 §6) used to obtain renewed access tokens without re-prompting the user. Implementations apply the configured absolute and sliding expiration policies and may revoke the previous refresh token when reuse is disallowed. |