ClientRegistrationRequest Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Model
ClientRegistrationRequest Class
Represents metadata for an OAuth2 client based on the OpenID Connect discovery specification.
public record ClientRegistrationRequest : System.IEquatable<Abblix.Oidc.Server.Model.ClientRegistrationRequest>
Inheritance System.Object → ClientRegistrationRequest
Implements System.IEquatable<ClientRegistrationRequest>
Remarks
See the OpenID Connect Registration specification at https://openid.net/specs/openid-connect-registration-1\_0.html.
Properties
ClientRegistrationRequest.ApplicationType Property
The application_type declared at registration (OIDC Dynamic Client Registration §2),
typically web or native. Influences allowed redirect URI schemes and other policy.
public string ApplicationType { get; init; }
Property Value
ClientRegistrationRequest.AuthorizationDetailsTypes Property
The authorization_details_types client metadata per RFC 9396 §5.1: the per-client
allowlist of authorization-detail type values this client may use in RAR requests.
Maps to AuthorizationDetailsTypes.
null means no per-client constraint; empty array means this client cannot use RAR.
public string[]? AuthorizationDetailsTypes { get; init; }
Property Value
ClientRegistrationRequest.AuthorizationEncryptedResponseAlg Property
The authorization_encrypted_response_alg (JARM §3): the JWE key-management algorithm the OP must
use when encrypting authorization responses for this client. When set, the signed response JWT is
additionally encrypted (a Nested JWT).
public string? AuthorizationEncryptedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.AuthorizationEncryptedResponseEnc Property
The authorization_encrypted_response_enc (JARM §3): the JWE content-encryption algorithm paired
with AuthorizationEncryptedResponseAlg for authorization responses to this client.
Defaults to A128CBC-HS256 when the encryption algorithm is set.
public string? AuthorizationEncryptedResponseEnc { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.AuthorizationHeader Property
The Authorization header from the HTTP request, used for initial access token validation per RFC 7591 Section 3. This is a transport-level property, not part of the registration metadata.
public System.Net.Http.Headers.AuthenticationHeaderValue? AuthorizationHeader { get; init; }
Property Value
System.Net.Http.Headers.AuthenticationHeaderValue
ClientRegistrationRequest.AuthorizationSignedResponseAlg Property
The authorization_signed_response_alg (JARM §3): the JWS algorithm the OP must use to sign
authorization responses packed into a JWT for this client. Defaults to RS256; none is
not permitted.
public string? AuthorizationSignedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.BackChannelAuthenticationRequestSigningAlg Property
The signing algorithm used for backchannel authentication requests sent to this client.
public string? BackChannelAuthenticationRequestSigningAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.BackChannelClientNotificationEndpoint Property
The endpoint where backchannel client notifications are sent for this client.
public System.Uri? BackChannelClientNotificationEndpoint { get; init; }
Property Value
ClientRegistrationRequest.BackChannelLogoutSessionRequired Property
The backchannel_logout_session_required flag: when true, the OP must include the
sid claim in the back-channel logout token so the client can identify the session being ended.
public System.Nullable<bool> BackChannelLogoutSessionRequired { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.BackChannelLogoutUri Property
The backchannel_logout_uri (OIDC Back-Channel Logout 1.0): an absolute URL at the client
that the OP calls server-to-server with a logout token to terminate the user's session at the client.
public System.Uri? BackChannelLogoutUri { get; init; }
Property Value
ClientRegistrationRequest.BackChannelTokenDeliveryMode Property
The backchannel token delivery mode to be used by this client. This determines how tokens are delivered during backchannel authentication.
public string? BackChannelTokenDeliveryMode { get; init; }
Property Value
ClientRegistrationRequest.BackChannelUserCodeParameter Property
Indicates whether the backchannel authentication process supports user codes for this client.
public bool BackChannelUserCodeParameter { get; init; }
Property Value
ClientRegistrationRequest.ClientId Property
A client-proposed client_id. Servers MAY ignore this and assign their own identifier;
when accepted, the value is echoed back in the registration response.
public string? ClientId { get; init; }
Property Value
ClientRegistrationRequest.ClientName Property
The client_name (RFC 7591 §2): a human-readable display name for the client, shown to end-users
on consent screens.
public string? ClientName { get; init; }
Property Value
ClientRegistrationRequest.ClientUri Property
The client_uri: an absolute URL of the client application's home page, shown to end-users
alongside ClientName.
public System.Uri? ClientUri { get; init; }
Property Value
ClientRegistrationRequest.Contacts Property
The contacts array (RFC 7591 §2): email addresses of people responsible for this client,
used for operational notifications by the authorization server.
public string[]? Contacts { get; init; }
Property Value
ClientRegistrationRequest.DefaultAcrValues Property
The default_acr_values: an ordered list of ACR values the OP should use as defaults for this
client when the authorization request omits acr_values.
public string[]? DefaultAcrValues { get; init; }
Property Value
ClientRegistrationRequest.DefaultMaxAge Property
The default_max_age (OIDC Dynamic Client Registration §2): the default maximum elapsed time
since the user's last authentication that the OP should honor for authorization requests from this
client. Serialized as an integer number of seconds.
public System.Nullable<System.TimeSpan> DefaultMaxAge { get; init; }
Property Value
System.Nullable<System.TimeSpan>
ClientRegistrationRequest.DpopBoundAccessTokens Property
The dpop_bound_access_tokens client metadata per RFC 9449 §5.2: when true,
access tokens issued to this client must be sender-constrained via DPoP (the server
will require a valid DPoP proof on every token request and bind cnf.jkt on
the issued token). Maps to RequireDPoP. When omitted, treated
as false per RFC 9449 §5.2.
public System.Nullable<bool> DpopBoundAccessTokens { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.FrontChannelLogoutSessionRequired Property
The frontchannel_logout_session_required flag: when true, the OP must append iss
and sid query parameters to FrontChannelLogoutUri so the client can target the
specific session being ended.
public System.Nullable<bool> FrontChannelLogoutSessionRequired { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.FrontChannelLogoutUri Property
The frontchannel_logout_uri (OIDC Front-Channel Logout 1.0): an absolute URL the OP renders
in an iframe inside its logout page so the client can clear its own session in the user agent.
public System.Uri? FrontChannelLogoutUri { get; init; }
Property Value
ClientRegistrationRequest.GrantTypes Property
The grant_types the client will request at the token endpoint per RFC 7591 §2,
for example authorization_code, refresh_token, or urn:openid:params:grant-type:ciba.
public string[] GrantTypes { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: grant handlers are an extensible set, and the registration pipeline already validates every requested grant against the union the server actually supports and advertises in its discovery document.
ClientRegistrationRequest.IdTokenEncryptedResponseAlg Property
The id_token_encrypted_response_alg: the JWE key-management algorithm the OP must use when
encrypting ID Tokens for this client.
public string? IdTokenEncryptedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.IdTokenEncryptedResponseEnc Property
The id_token_encrypted_response_enc: the JWE content-encryption algorithm paired with
IdTokenEncryptedResponseAlg for ID Tokens issued to this client.
public string? IdTokenEncryptedResponseEnc { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.IdTokenSignedResponseAlg Property
The id_token_signed_response_alg (OIDC Core §2): the JWS alg the OP must use to sign
ID Tokens issued to this client (e.g. RS256, ES256).
public string? IdTokenSignedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.InitiateLoginUri Property
The initiate_login_uri: an absolute URL the OP can call to initiate a login flow at the client,
for example to recover an interrupted session.
public System.Uri? InitiateLoginUri { get; init; }
Property Value
ClientRegistrationRequest.IntrospectionEncryptedResponseAlg Property
The introspection_encrypted_response_alg (RFC 9701): the JWE key-management algorithm the OP must use
when encrypting introspection responses for this client.
public string? IntrospectionEncryptedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.IntrospectionEncryptedResponseEnc Property
The introspection_encrypted_response_enc (RFC 9701): the JWE content-encryption algorithm paired with
IntrospectionEncryptedResponseAlg for introspection responses to this client.
public string? IntrospectionEncryptedResponseEnc { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.IntrospectionSignedResponseAlg Property
The introspection_signed_response_alg (RFC 9701): the JWS algorithm the OP must use when signing
introspection responses returned to this client. When omitted, introspection is returned as plain JSON.
public string? IntrospectionSignedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.Jwks Property
The inline jwks value: the client's JSON Web Key Set provided directly in registration metadata,
used as an alternative to JwksUri. Only one of the two may be provided per RFC 7591 §2.
public Abblix.Jwt.JsonWebKeySet? Jwks { get; init; }
Property Value
ClientRegistrationRequest.JwksUri Property
The jwks_uri: an absolute URL where the client publishes its JSON Web Key Set, used by the OP
to verify signed assertions and to encrypt content addressed to the client.
public System.Uri? JwksUri { get; init; }
Property Value
ClientRegistrationRequest.LogoUri Property
The logo_uri: an absolute URL of an image displayed to end-users alongside ClientName
during authentication and consent.
public System.Uri? LogoUri { get; init; }
Property Value
ClientRegistrationRequest.OfflineAccessAllowed Property
When true, the client is permitted to request the offline_access scope and receive
refresh tokens. Server extension to RFC 7591 metadata; defaults to true.
public System.Nullable<bool> OfflineAccessAllowed { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.PkceRequired Property
When true, this client must present a PKCE code_challenge on every authorization request
per RFC 7636. Server extension to RFC 7591 metadata; defaults to false.
public System.Nullable<bool> PkceRequired { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.PolicyUri Property
The policy_uri: an absolute URL the relying party provides describing how end-user
profile data is used.
public System.Uri? PolicyUri { get; init; }
Property Value
ClientRegistrationRequest.PostLogoutRedirectUris Property
The post_logout_redirect_uris (OIDC RP-Initiated Logout): the absolute URIs the OP may redirect
the user agent to after RP-initiated logout. Logout requests must specify a
post_logout_redirect_uri that exactly matches one of these.
public System.Uri[] PostLogoutRedirectUris { get; init; }
Property Value
ClientRegistrationRequest.RedirectUris Property
The redirect_uris array (RFC 7591 §2) listing every absolute URI the OP may use to deliver
authorization responses to this client. At least one entry is required, and authorization requests
must specify a redirect URI that exactly matches one of these values.
public System.Uri[] RedirectUris { get; init; }
Property Value
ClientRegistrationRequest.RequestObjectEncryptionAlg Property
The request_object_encryption_alg: the JWE key-management algorithm the client may use when
encrypting Request Objects sent to the OP.
public string? RequestObjectEncryptionAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.RequestObjectEncryptionEnc Property
The request_object_encryption_enc: the JWE content-encryption algorithm paired with
RequestObjectEncryptionAlg for Request Objects.
public string? RequestObjectEncryptionEnc { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.RequestObjectSigningAlg Property
The request_object_signing_alg: the JWS algorithm the client uses when signing Request Objects
(OIDC Core §6) sent to the authorization endpoint. none indicates an unsigned Request Object.
public string? RequestObjectSigningAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.RequestUris Property
The request_uris (OIDC Core §6.2): URIs that the OP may pre-fetch and cache for use as
request_uri values in authorization requests from this client.
public System.Uri[]? RequestUris { get; init; }
Property Value
ClientRegistrationRequest.RequireAuthTime Property
The require_auth_time flag: when true, the OP must always include the auth_time
claim in ID Tokens issued to this client.
public System.Nullable<bool> RequireAuthTime { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.RequirePushedAuthorizationRequests Property
The require_pushed_authorization_requests client metadata per RFC 9126 §6: when
true, pushed authorization requests are the only way this client may start an
authorization flow. Maps to
RequirePushedAuthorizationRequests.
When omitted, treated as false.
public System.Nullable<bool> RequirePushedAuthorizationRequests { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.RequireSignedRequestObject Property
The require_signed_request_object client metadata per RFC 9101 §10.5: when
true, the client must deliver its authorization request parameters as a signed
request object. Maps to
RequireSignedRequestObject.
When omitted, treated as false.
public System.Nullable<bool> RequireSignedRequestObject { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.ResponseTypes Property
The response_types the client intends to use (RFC 7591 §2). Each entry is itself a
space-separated combination of code, token, and/or id_token; the array therefore
represents the full set of response type combinations registered for this client.
public string[][] ResponseTypes { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: authorization response processors are registered per flow (the implicit flow is off by default), and the registration pipeline already validates every requested response type against the set the server actually supports and advertises in its discovery document.
ClientRegistrationRequest.Scope Property
A space-separated list of scope values the client will use per RFC 7591 Section 2.
public string[]? Scope { get; set; }
Property Value
ClientRegistrationRequest.SectorIdentifierUri Property
The sector_identifier_uri (OIDC Core §8.1): an absolute HTTPS URL whose host is used to compute
pairwise pseudonymous subject identifiers, allowing multiple registered redirect URIs to share the same
pairwise sector.
public System.Uri? SectorIdentifierUri { get; init; }
Property Value
ClientRegistrationRequest.SoftwareId Property
A unique identifier string assigned by the client developer or software publisher to identify the client software per RFC 7591 Section 2.
public string? SoftwareId { get; set; }
Property Value
ClientRegistrationRequest.SoftwareStatement Property
A digitally signed or MACed JWT that asserts metadata values about the client software, issued by a third-party software statement issuer per RFC 7591 Section 2.3.
public string? SoftwareStatement { get; set; }
Property Value
ClientRegistrationRequest.SoftwareVersion Property
A version identifier string for the client software per RFC 7591 Section 2.
public string? SoftwareVersion { get; set; }
Property Value
ClientRegistrationRequest.SubjectType Property
The subject_type (OIDC Core §8) requested for ID Token sub claim generation:
public (same identifier across clients) or pairwise (per-sector pseudonymous).
public string? SubjectType { get; init; }
Property Value
ClientRegistrationRequest.TermsOfServiceUri Property
The tos_uri: an absolute URL where the relying party publishes its terms of service.
public System.Uri? TermsOfServiceUri { get; init; }
Property Value
ClientRegistrationRequest.TlsClientAuthSanDns Property
Required DNS Subject Alternative Names for tls_client_auth.
public string[]? TlsClientAuthSanDns { get; init; }
Property Value
ClientRegistrationRequest.TlsClientAuthSanEmail Property
Required email Subject Alternative Names for tls_client_auth.
public string[]? TlsClientAuthSanEmail { get; init; }
Property Value
ClientRegistrationRequest.TlsClientAuthSanIp Property
Required IP Subject Alternative Names for tls_client_auth.
public string[]? TlsClientAuthSanIp { get; init; }
Property Value
ClientRegistrationRequest.TlsClientAuthSanUri Property
Required URI Subject Alternative Names for tls_client_auth.
public System.Uri[]? TlsClientAuthSanUri { get; init; }
Property Value
ClientRegistrationRequest.TlsClientAuthSubjectDn Property
Exact Subject Distinguished Name the client certificate must present when using tls_client_auth.
public string? TlsClientAuthSubjectDn { get; init; }
Property Value
ClientRegistrationRequest.TlsClientCertificateBoundAccessTokens Property
The tls_client_certificate_bound_access_tokens client metadata per RFC 8705 §3.4:
when true, access tokens issued to this client are certificate-bound whenever the
token request arrives over mutual TLS, independently of the authentication method. Maps to
TlsClientCertificateBoundAccessTokens.
When omitted, treated as false.
public System.Nullable<bool> TlsClientCertificateBoundAccessTokens { get; init; }
Property Value
System.Nullable<System.Boolean>
ClientRegistrationRequest.TokenEndpointAuthMethod Property
The token_endpoint_auth_method (RFC 7591 §2): the client authentication method used at the
token endpoint, such as client_secret_basic, client_secret_post, private_key_jwt,
tls_client_auth, or none.
public string TokenEndpointAuthMethod { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: client authenticators are an extensible set, and the registration pipeline already validates the value against the methods the server actually supports and announces in its discovery document.
ClientRegistrationRequest.TokenEndpointAuthSigningAlg Property
The token_endpoint_auth_signing_alg: the JWS algorithm the client uses when signing
authentication assertions for private_key_jwt or client_secret_jwt at the token endpoint.
public string? TokenEndpointAuthSigningAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.TokenExchangeAudiences Property
Non-standard extension: the per-client allowlist of RFC 8693 audience values this
client may request when exchanging a token. RFC 8693 does not standardise a registration
parameter for this, so the property is exposed under the non-standard
token_exchange_audiences name. Maps to
TokenExchangeAllowedAudiences.
Default-deny: null or empty means the client may not request any audience;
a non-empty array is the allowlist of accepted values.
public string[]? TokenExchangeAudiences { get; init; }
Property Value
ClientRegistrationRequest.TokenExchangeSubjectTokenTypes Property
Non-standard extension: the per-client allowlist of RFC 8693 subject_token_type URIs this
client may submit to the Token Exchange grant. RFC 8693 does not standardise a registration
parameter for this, so the property is exposed under the non-standard
token_exchange_subject_token_types name. Maps to
TokenExchangeAllowedSubjectTokenTypes.
null means no per-client constraint; empty array means the client cannot use
Token Exchange at all.
public string[]? TokenExchangeSubjectTokenTypes { get; init; }
Property Value
ClientRegistrationRequest.UserInfoEncryptedResponseAlg Property
The userinfo_encrypted_response_alg: the JWE key-management algorithm the OP must use when
encrypting UserInfo responses for this client.
public string? UserInfoEncryptedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.UserInfoEncryptedResponseEnc Property
The userinfo_encrypted_response_enc: the JWE content-encryption algorithm paired with
UserInfoEncryptedResponseAlg for UserInfo responses to this client.
public string? UserInfoEncryptedResponseEnc { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.
ClientRegistrationRequest.UserInfoSignedResponseAlg Property
The userinfo_signed_response_alg: the JWS algorithm the OP must use when signing UserInfo
responses returned to this client. When omitted, UserInfo is returned as plain JSON.
public string? UserInfoSignedResponseAlg { get; init; }
Property Value
Remarks
Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.