Skip to main content

ClientRegistrationRequest Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Model

ClientRegistrationRequest Class

Represents metadata for an OAuth2 client based on the OpenID Connect discovery specification.

public record ClientRegistrationRequest : System.IEquatable<Abblix.Oidc.Server.Model.ClientRegistrationRequest>

Inheritance System.Object → ClientRegistrationRequest

Implements System.IEquatable<ClientRegistrationRequest>

Remarks

See the OpenID Connect Registration specification at https://openid.net/specs/openid-connect-registration-1\_0.html.

Properties

ClientRegistrationRequest.ApplicationType Property

The application_type declared at registration (OIDC Dynamic Client Registration §2), typically web or native. Influences allowed redirect URI schemes and other policy.

public string ApplicationType { get; init; }

Property Value

System.String

ClientRegistrationRequest.AuthorizationDetailsTypes Property

The authorization_details_types client metadata per RFC 9396 §5.1: the per-client allowlist of authorization-detail type values this client may use in RAR requests. Maps to AuthorizationDetailsTypes. null means no per-client constraint; empty array means this client cannot use RAR.

public string[]? AuthorizationDetailsTypes { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.AuthorizationEncryptedResponseAlg Property

The authorization_encrypted_response_alg (JARM §3): the JWE key-management algorithm the OP must use when encrypting authorization responses for this client. When set, the signed response JWT is additionally encrypted (a Nested JWT).

public string? AuthorizationEncryptedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.AuthorizationEncryptedResponseEnc Property

The authorization_encrypted_response_enc (JARM §3): the JWE content-encryption algorithm paired with AuthorizationEncryptedResponseAlg for authorization responses to this client. Defaults to A128CBC-HS256 when the encryption algorithm is set.

public string? AuthorizationEncryptedResponseEnc { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.AuthorizationHeader Property

The Authorization header from the HTTP request, used for initial access token validation per RFC 7591 Section 3. This is a transport-level property, not part of the registration metadata.

public System.Net.Http.Headers.AuthenticationHeaderValue? AuthorizationHeader { get; init; }

Property Value

System.Net.Http.Headers.AuthenticationHeaderValue

ClientRegistrationRequest.AuthorizationSignedResponseAlg Property

The authorization_signed_response_alg (JARM §3): the JWS algorithm the OP must use to sign authorization responses packed into a JWT for this client. Defaults to RS256; none is not permitted.

public string? AuthorizationSignedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.BackChannelAuthenticationRequestSigningAlg Property

The signing algorithm used for backchannel authentication requests sent to this client.

public string? BackChannelAuthenticationRequestSigningAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.BackChannelClientNotificationEndpoint Property

The endpoint where backchannel client notifications are sent for this client.

public System.Uri? BackChannelClientNotificationEndpoint { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.BackChannelLogoutSessionRequired Property

The backchannel_logout_session_required flag: when true, the OP must include the sid claim in the back-channel logout token so the client can identify the session being ended.

public System.Nullable<bool> BackChannelLogoutSessionRequired { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.BackChannelLogoutUri Property

The backchannel_logout_uri (OIDC Back-Channel Logout 1.0): an absolute URL at the client that the OP calls server-to-server with a logout token to terminate the user's session at the client.

public System.Uri? BackChannelLogoutUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.BackChannelTokenDeliveryMode Property

The backchannel token delivery mode to be used by this client. This determines how tokens are delivered during backchannel authentication.

public string? BackChannelTokenDeliveryMode { get; init; }

Property Value

System.String

ClientRegistrationRequest.BackChannelUserCodeParameter Property

Indicates whether the backchannel authentication process supports user codes for this client.

public bool BackChannelUserCodeParameter { get; init; }

Property Value

System.Boolean

ClientRegistrationRequest.ClientId Property

A client-proposed client_id. Servers MAY ignore this and assign their own identifier; when accepted, the value is echoed back in the registration response.

public string? ClientId { get; init; }

Property Value

System.String

ClientRegistrationRequest.ClientName Property

The client_name (RFC 7591 §2): a human-readable display name for the client, shown to end-users on consent screens.

public string? ClientName { get; init; }

Property Value

System.String

ClientRegistrationRequest.ClientUri Property

The client_uri: an absolute URL of the client application's home page, shown to end-users alongside ClientName.

public System.Uri? ClientUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.Contacts Property

The contacts array (RFC 7591 §2): email addresses of people responsible for this client, used for operational notifications by the authorization server.

public string[]? Contacts { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.DefaultAcrValues Property

The default_acr_values: an ordered list of ACR values the OP should use as defaults for this client when the authorization request omits acr_values.

public string[]? DefaultAcrValues { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.DefaultMaxAge Property

The default_max_age (OIDC Dynamic Client Registration §2): the default maximum elapsed time since the user's last authentication that the OP should honor for authorization requests from this client. Serialized as an integer number of seconds.

public System.Nullable<System.TimeSpan> DefaultMaxAge { get; init; }

Property Value

System.Nullable<System.TimeSpan>

ClientRegistrationRequest.DpopBoundAccessTokens Property

The dpop_bound_access_tokens client metadata per RFC 9449 §5.2: when true, access tokens issued to this client must be sender-constrained via DPoP (the server will require a valid DPoP proof on every token request and bind cnf.jkt on the issued token). Maps to RequireDPoP. When omitted, treated as false per RFC 9449 §5.2.

public System.Nullable<bool> DpopBoundAccessTokens { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.FrontChannelLogoutSessionRequired Property

The frontchannel_logout_session_required flag: when true, the OP must append iss and sid query parameters to FrontChannelLogoutUri so the client can target the specific session being ended.

public System.Nullable<bool> FrontChannelLogoutSessionRequired { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.FrontChannelLogoutUri Property

The frontchannel_logout_uri (OIDC Front-Channel Logout 1.0): an absolute URL the OP renders in an iframe inside its logout page so the client can clear its own session in the user agent.

public System.Uri? FrontChannelLogoutUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.GrantTypes Property

The grant_types the client will request at the token endpoint per RFC 7591 §2, for example authorization_code, refresh_token, or urn:openid:params:grant-type:ciba.

public string[] GrantTypes { get; init; }

Property Value

System.String[]

Remarks

Deliberately not constrained by a declarative value list: grant handlers are an extensible set, and the registration pipeline already validates every requested grant against the union the server actually supports and advertises in its discovery document.

ClientRegistrationRequest.IdTokenEncryptedResponseAlg Property

The id_token_encrypted_response_alg: the JWE key-management algorithm the OP must use when encrypting ID Tokens for this client.

public string? IdTokenEncryptedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.IdTokenEncryptedResponseEnc Property

The id_token_encrypted_response_enc: the JWE content-encryption algorithm paired with IdTokenEncryptedResponseAlg for ID Tokens issued to this client.

public string? IdTokenEncryptedResponseEnc { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.IdTokenSignedResponseAlg Property

The id_token_signed_response_alg (OIDC Core §2): the JWS alg the OP must use to sign ID Tokens issued to this client (e.g. RS256, ES256).

public string? IdTokenSignedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.InitiateLoginUri Property

The initiate_login_uri: an absolute URL the OP can call to initiate a login flow at the client, for example to recover an interrupted session.

public System.Uri? InitiateLoginUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.IntrospectionEncryptedResponseAlg Property

The introspection_encrypted_response_alg (RFC 9701): the JWE key-management algorithm the OP must use when encrypting introspection responses for this client.

public string? IntrospectionEncryptedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.IntrospectionEncryptedResponseEnc Property

The introspection_encrypted_response_enc (RFC 9701): the JWE content-encryption algorithm paired with IntrospectionEncryptedResponseAlg for introspection responses to this client.

public string? IntrospectionEncryptedResponseEnc { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.IntrospectionSignedResponseAlg Property

The introspection_signed_response_alg (RFC 9701): the JWS algorithm the OP must use when signing introspection responses returned to this client. When omitted, introspection is returned as plain JSON.

public string? IntrospectionSignedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.Jwks Property

The inline jwks value: the client's JSON Web Key Set provided directly in registration metadata, used as an alternative to JwksUri. Only one of the two may be provided per RFC 7591 §2.

public Abblix.Jwt.JsonWebKeySet? Jwks { get; init; }

Property Value

JsonWebKeySet

ClientRegistrationRequest.JwksUri Property

The jwks_uri: an absolute URL where the client publishes its JSON Web Key Set, used by the OP to verify signed assertions and to encrypt content addressed to the client.

public System.Uri? JwksUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.LogoUri Property

The logo_uri: an absolute URL of an image displayed to end-users alongside ClientName during authentication and consent.

public System.Uri? LogoUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.OfflineAccessAllowed Property

When true, the client is permitted to request the offline_access scope and receive refresh tokens. Server extension to RFC 7591 metadata; defaults to true.

public System.Nullable<bool> OfflineAccessAllowed { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.PkceRequired Property

When true, this client must present a PKCE code_challenge on every authorization request per RFC 7636. Server extension to RFC 7591 metadata; defaults to false.

public System.Nullable<bool> PkceRequired { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.PolicyUri Property

The policy_uri: an absolute URL the relying party provides describing how end-user profile data is used.

public System.Uri? PolicyUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.PostLogoutRedirectUris Property

The post_logout_redirect_uris (OIDC RP-Initiated Logout): the absolute URIs the OP may redirect the user agent to after RP-initiated logout. Logout requests must specify a post_logout_redirect_uri that exactly matches one of these.

public System.Uri[] PostLogoutRedirectUris { get; init; }

Property Value

System.Uri[]

ClientRegistrationRequest.RedirectUris Property

The redirect_uris array (RFC 7591 §2) listing every absolute URI the OP may use to deliver authorization responses to this client. At least one entry is required, and authorization requests must specify a redirect URI that exactly matches one of these values.

public System.Uri[] RedirectUris { get; init; }

Property Value

System.Uri[]

ClientRegistrationRequest.RequestObjectEncryptionAlg Property

The request_object_encryption_alg: the JWE key-management algorithm the client may use when encrypting Request Objects sent to the OP.

public string? RequestObjectEncryptionAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.RequestObjectEncryptionEnc Property

The request_object_encryption_enc: the JWE content-encryption algorithm paired with RequestObjectEncryptionAlg for Request Objects.

public string? RequestObjectEncryptionEnc { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.RequestObjectSigningAlg Property

The request_object_signing_alg: the JWS algorithm the client uses when signing Request Objects (OIDC Core §6) sent to the authorization endpoint. none indicates an unsigned Request Object.

public string? RequestObjectSigningAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.RequestUris Property

The request_uris (OIDC Core §6.2): URIs that the OP may pre-fetch and cache for use as request_uri values in authorization requests from this client.

public System.Uri[]? RequestUris { get; init; }

Property Value

System.Uri[]

ClientRegistrationRequest.RequireAuthTime Property

The require_auth_time flag: when true, the OP must always include the auth_time claim in ID Tokens issued to this client.

public System.Nullable<bool> RequireAuthTime { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.RequirePushedAuthorizationRequests Property

The require_pushed_authorization_requests client metadata per RFC 9126 §6: when true, pushed authorization requests are the only way this client may start an authorization flow. Maps to RequirePushedAuthorizationRequests. When omitted, treated as false.

public System.Nullable<bool> RequirePushedAuthorizationRequests { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.RequireSignedRequestObject Property

The require_signed_request_object client metadata per RFC 9101 §10.5: when true, the client must deliver its authorization request parameters as a signed request object. Maps to RequireSignedRequestObject. When omitted, treated as false.

public System.Nullable<bool> RequireSignedRequestObject { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.ResponseTypes Property

The response_types the client intends to use (RFC 7591 §2). Each entry is itself a space-separated combination of code, token, and/or id_token; the array therefore represents the full set of response type combinations registered for this client.

public string[][] ResponseTypes { get; init; }

Property Value

System.String[][]

Remarks

Deliberately not constrained by a declarative value list: authorization response processors are registered per flow (the implicit flow is off by default), and the registration pipeline already validates every requested response type against the set the server actually supports and advertises in its discovery document.

ClientRegistrationRequest.Scope Property

A space-separated list of scope values the client will use per RFC 7591 Section 2.

public string[]? Scope { get; set; }

Property Value

System.String[]

ClientRegistrationRequest.SectorIdentifierUri Property

The sector_identifier_uri (OIDC Core §8.1): an absolute HTTPS URL whose host is used to compute pairwise pseudonymous subject identifiers, allowing multiple registered redirect URIs to share the same pairwise sector.

public System.Uri? SectorIdentifierUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.SoftwareId Property

A unique identifier string assigned by the client developer or software publisher to identify the client software per RFC 7591 Section 2.

public string? SoftwareId { get; set; }

Property Value

System.String

ClientRegistrationRequest.SoftwareStatement Property

A digitally signed or MACed JWT that asserts metadata values about the client software, issued by a third-party software statement issuer per RFC 7591 Section 2.3.

public string? SoftwareStatement { get; set; }

Property Value

System.String

ClientRegistrationRequest.SoftwareVersion Property

A version identifier string for the client software per RFC 7591 Section 2.

public string? SoftwareVersion { get; set; }

Property Value

System.String

ClientRegistrationRequest.SubjectType Property

The subject_type (OIDC Core §8) requested for ID Token sub claim generation: public (same identifier across clients) or pairwise (per-sector pseudonymous).

public string? SubjectType { get; init; }

Property Value

System.String

ClientRegistrationRequest.TermsOfServiceUri Property

The tos_uri: an absolute URL where the relying party publishes its terms of service.

public System.Uri? TermsOfServiceUri { get; init; }

Property Value

System.Uri

ClientRegistrationRequest.TlsClientAuthSanDns Property

Required DNS Subject Alternative Names for tls_client_auth.

public string[]? TlsClientAuthSanDns { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.TlsClientAuthSanEmail Property

Required email Subject Alternative Names for tls_client_auth.

public string[]? TlsClientAuthSanEmail { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.TlsClientAuthSanIp Property

Required IP Subject Alternative Names for tls_client_auth.

public string[]? TlsClientAuthSanIp { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.TlsClientAuthSanUri Property

Required URI Subject Alternative Names for tls_client_auth.

public System.Uri[]? TlsClientAuthSanUri { get; init; }

Property Value

System.Uri[]

ClientRegistrationRequest.TlsClientAuthSubjectDn Property

Exact Subject Distinguished Name the client certificate must present when using tls_client_auth.

public string? TlsClientAuthSubjectDn { get; init; }

Property Value

System.String

ClientRegistrationRequest.TlsClientCertificateBoundAccessTokens Property

The tls_client_certificate_bound_access_tokens client metadata per RFC 8705 §3.4: when true, access tokens issued to this client are certificate-bound whenever the token request arrives over mutual TLS, independently of the authentication method. Maps to TlsClientCertificateBoundAccessTokens. When omitted, treated as false.

public System.Nullable<bool> TlsClientCertificateBoundAccessTokens { get; init; }

Property Value

System.Nullable<System.Boolean>

ClientRegistrationRequest.TokenEndpointAuthMethod Property

The token_endpoint_auth_method (RFC 7591 §2): the client authentication method used at the token endpoint, such as client_secret_basic, client_secret_post, private_key_jwt, tls_client_auth, or none.

public string TokenEndpointAuthMethod { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: client authenticators are an extensible set, and the registration pipeline already validates the value against the methods the server actually supports and announces in its discovery document.

ClientRegistrationRequest.TokenEndpointAuthSigningAlg Property

The token_endpoint_auth_signing_alg: the JWS algorithm the client uses when signing authentication assertions for private_key_jwt or client_secret_jwt at the token endpoint.

public string? TokenEndpointAuthSigningAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.TokenExchangeAudiences Property

Non-standard extension: the per-client allowlist of RFC 8693 audience values this client may request when exchanging a token. RFC 8693 does not standardise a registration parameter for this, so the property is exposed under the non-standard token_exchange_audiences name. Maps to TokenExchangeAllowedAudiences. Default-deny: null or empty means the client may not request any audience; a non-empty array is the allowlist of accepted values.

public string[]? TokenExchangeAudiences { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.TokenExchangeSubjectTokenTypes Property

Non-standard extension: the per-client allowlist of RFC 8693 subject_token_type URIs this client may submit to the Token Exchange grant. RFC 8693 does not standardise a registration parameter for this, so the property is exposed under the non-standard token_exchange_subject_token_types name. Maps to TokenExchangeAllowedSubjectTokenTypes. null means no per-client constraint; empty array means the client cannot use Token Exchange at all.

public string[]? TokenExchangeSubjectTokenTypes { get; init; }

Property Value

System.String[]

ClientRegistrationRequest.UserInfoEncryptedResponseAlg Property

The userinfo_encrypted_response_alg: the JWE key-management algorithm the OP must use when encrypting UserInfo responses for this client.

public string? UserInfoEncryptedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.UserInfoEncryptedResponseEnc Property

The userinfo_encrypted_response_enc: the JWE content-encryption algorithm paired with UserInfoEncryptedResponseAlg for UserInfo responses to this client.

public string? UserInfoEncryptedResponseEnc { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.

ClientRegistrationRequest.UserInfoSignedResponseAlg Property

The userinfo_signed_response_alg: the JWS algorithm the OP must use when signing UserInfo responses returned to this client. When omitted, UserInfo is returned as plain JSON.

public string? UserInfoSignedResponseAlg { get; init; }

Property Value

System.String

Remarks

Deliberately not constrained by a declarative value list: the permissible algorithms are determined at runtime by the keyed signing/encryption registrations, so a static list would misstate the host's actual capabilities.