ClientJwtEncryption Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Features.Tokens.Formatters
ClientJwtEncryption Class
The encryption policy a caller hands to ClientJwtFormatter when formatting a client-addressed JWT. It makes explicit which registered client metadata governs encryption, so the formatter no longer has to infer it from the token type. Each client-JWT class (UserInfo, ID token, JARM authorization response, introspection) supplies its own policy via the static factories below.
public sealed record ClientJwtEncryption : System.IEquatable<Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption>
Inheritance System.Object → ClientJwtEncryption
Implements System.IEquatable<ClientJwtEncryption>
Constructors
ClientJwtEncryption(string, string, string, bool) Constructor
The encryption policy a caller hands to ClientJwtFormatter when formatting a client-addressed JWT. It makes explicit which registered client metadata governs encryption, so the formatter no longer has to infer it from the token type. Each client-JWT class (UserInfo, ID token, JARM authorization response, introspection) supplies its own policy via the static factories below.
public ClientJwtEncryption(string? KeyManagementAlgorithm, string? ContentEncryptionAlgorithm, string DefaultContentEncryptionAlgorithm, bool RequireRegisteredAlgorithm);
Parameters
KeyManagementAlgorithm System.String
The client's registered *_encrypted_response_alg, or null when
the client did not register one.
ContentEncryptionAlgorithm System.String
The client's registered *_encrypted_response_enc, or null
to fall back to DefaultContentEncryptionAlgorithm.
DefaultContentEncryptionAlgorithm System.String
The content-encryption algorithm to use when the client did not register one.
RequireRegisteredAlgorithm System.Boolean
When true the JWT is encrypted only if the client registered a
key-management algorithm (and the client's encryption keys are not even resolved otherwise) — the JARM §2.2 / §3
opt-in rule. When false the JWT is encrypted whenever the client published encryption keys.
Properties
ClientJwtEncryption.ContentEncryptionAlgorithm Property
The client's registered *_encrypted_response_enc, or null
to fall back to DefaultContentEncryptionAlgorithm.
public string? ContentEncryptionAlgorithm { get; init; }
Property Value
ClientJwtEncryption.DefaultContentEncryptionAlgorithm Property
The content-encryption algorithm to use when the client did not register one.
public string DefaultContentEncryptionAlgorithm { get; init; }
Property Value
ClientJwtEncryption.KeyManagementAlgorithm Property
The client's registered *_encrypted_response_alg, or null when
the client did not register one.
public string? KeyManagementAlgorithm { get; init; }
Property Value
ClientJwtEncryption.RequireRegisteredAlgorithm Property
When true the JWT is encrypted only if the client registered a
key-management algorithm (and the client's encryption keys are not even resolved otherwise) — the JARM §2.2 / §3
opt-in rule. When false the JWT is encrypted whenever the client published encryption keys.
public bool RequireRegisteredAlgorithm { get; init; }
Property Value
Methods
ClientJwtEncryption.ForIdentityToken(ClientInfo, OidcOptions) Method
Policy for an ID token or logout token: encrypts whenever the client published encryption keys, using its
id_token_encrypted_response_* metadata.
public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForIdentityToken(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo, Abblix.Oidc.Server.Common.Configuration.OidcOptions options);
Parameters
clientInfo ClientInfo
options OidcOptions
Returns
ClientJwtEncryption.ForIntrospection(ClientInfo, OidcOptions) Method
Policy for a signed/encrypted token introspection response (RFC 9701): encrypts whenever the client published
encryption keys, using its introspection_encrypted_response_* metadata.
public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForIntrospection(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo, Abblix.Oidc.Server.Common.Configuration.OidcOptions options);
Parameters
clientInfo ClientInfo
options OidcOptions
Returns
ClientJwtEncryption.ForJarm(ClientInfo) Method
Policy for a JARM authorization response JWT: encrypts only when the client registered
authorization_encrypted_response_alg (JARM §2.2 / §3 opt-in), defaulting the content-encryption to
A128CBC-HS256 when authorization_encrypted_response_enc is omitted (JARM §3).
public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForJarm(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo);
Parameters
clientInfo ClientInfo
Returns
ClientJwtEncryption.ForUserInfo(ClientInfo, OidcOptions) Method
Policy for a signed/encrypted UserInfo response (OIDC Core §5.3.2): encrypts whenever the client published
encryption keys, using its userinfo_encrypted_response_* metadata.
public static Abblix.Oidc.Server.Features.Tokens.Formatters.ClientJwtEncryption ForUserInfo(Abblix.Oidc.Server.Features.ClientInformation.ClientInfo clientInfo, Abblix.Oidc.Server.Common.Configuration.OidcOptions options);