Skip to main content

ClientJwtEncryption Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Features.Tokens.Formatters

ClientJwtEncryption Class

The encryption policy a caller hands to ClientJwtFormatter when formatting a client-addressed JWT. It makes explicit which registered client metadata governs encryption, so the formatter no longer has to infer it from the token type. Each client-JWT class (UserInfo, ID token, JARM authorization response, introspection) supplies its own policy via the static factories below.

public sealed record ClientJwtEncryption : System.IEquatable<Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption>

Inheritance System.Object → ClientJwtEncryption

Implements System.IEquatable<ClientJwtEncryption>

Constructors

ClientJwtEncryption(string, string, string, bool) Constructor

The encryption policy a caller hands to ClientJwtFormatter when formatting a client-addressed JWT. It makes explicit which registered client metadata governs encryption, so the formatter no longer has to infer it from the token type. Each client-JWT class (UserInfo, ID token, JARM authorization response, introspection) supplies its own policy via the static factories below.

public ClientJwtEncryption(string? KeyManagementAlgorithm, string? ContentEncryptionAlgorithm, string DefaultContentEncryptionAlgorithm, bool RequireRegisteredAlgorithm);

Parameters

KeyManagementAlgorithm System.String

The client's registered *_encrypted_response_alg, or null when the client did not register one.

ContentEncryptionAlgorithm System.String

The client's registered *_encrypted_response_enc, or null to fall back to DefaultContentEncryptionAlgorithm.

DefaultContentEncryptionAlgorithm System.String

The content-encryption algorithm to use when the client did not register one.

RequireRegisteredAlgorithm System.Boolean

When true the JWT is encrypted only if the client registered a key-management algorithm (and the client's encryption keys are not even resolved otherwise) — the JARM §2.2 / §3 opt-in rule. When false the JWT is encrypted whenever the client published encryption keys.

Properties

ClientJwtEncryption.ContentEncryptionAlgorithm Property

The client's registered *_encrypted_response_enc, or null to fall back to DefaultContentEncryptionAlgorithm.

public string? ContentEncryptionAlgorithm { get; init; }

Property Value

System.String

ClientJwtEncryption.DefaultContentEncryptionAlgorithm Property

The content-encryption algorithm to use when the client did not register one.

public string DefaultContentEncryptionAlgorithm { get; init; }

Property Value

System.String

ClientJwtEncryption.KeyManagementAlgorithm Property

The client's registered *_encrypted_response_alg, or null when the client did not register one.

public string? KeyManagementAlgorithm { get; init; }

Property Value

System.String

ClientJwtEncryption.RequireRegisteredAlgorithm Property

When true the JWT is encrypted only if the client registered a key-management algorithm (and the client's encryption keys are not even resolved otherwise) — the JARM §2.2 / §3 opt-in rule. When false the JWT is encrypted whenever the client published encryption keys.

public bool RequireRegisteredAlgorithm { get; init; }

Property Value

System.Boolean

Methods

ClientJwtEncryption.ForIdentityToken(ClientInfo, OidcOptions) Method

Policy for an ID token or logout token: encrypts whenever the client published encryption keys, using its id_token_encrypted_response_* metadata.

public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForIdentityToken(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo, Abblix.Oidc.Server.Common.Configuration.OidcOptions options);

Parameters

clientInfo ClientInfo
options OidcOptions

Returns

ClientJwtEncryption

ClientJwtEncryption.ForIntrospection(ClientInfo, OidcOptions) Method

Policy for a signed/encrypted token introspection response (RFC 9701): encrypts whenever the client published encryption keys, using its introspection_encrypted_response_* metadata.

public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForIntrospection(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo, Abblix.Oidc.Server.Common.Configuration.OidcOptions options);

Parameters

clientInfo ClientInfo
options OidcOptions

Returns

ClientJwtEncryption

ClientJwtEncryption.ForJarm(ClientInfo) Method

Policy for a JARM authorization response JWT: encrypts only when the client registered authorization_encrypted_response_alg (JARM §2.2 / §3 opt-in), defaulting the content-encryption to A128CBC-HS256 when authorization_encrypted_response_enc is omitted (JARM §3).

public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForJarm(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo);

Parameters

clientInfo ClientInfo

Returns

ClientJwtEncryption

ClientJwtEncryption.ForUserInfo(ClientInfo, OidcOptions) Method

Policy for a signed/encrypted UserInfo response (OIDC Core §5.3.2): encrypts whenever the client published encryption keys, using its userinfo_encrypted_response_* metadata.

public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForUserInfo(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo, Abblix.Oidc.Server.Common.Configuration.OidcOptions options);

Parameters

clientInfo ClientInfo
options OidcOptions

Returns

ClientJwtEncryption