ConfigurationResponse Class
Abblix.Oidc.Server
Abblix.Oidc.Server.Model
ConfigurationResponse Class
The OpenID Provider discovery document returned by the /.well-known/openid-configuration endpoint,
as defined by OpenID Connect Discovery 1.0 §3 and OAuth 2.0 Authorization Server Metadata (RFC 8414).
Its content lists the provider's endpoints, supported algorithms, response types, scopes, and feature flags
so that relying parties can configure themselves dynamically.
public record ConfigurationResponse : System.IEquatable<Abblix.Oidc.Server.Model.ConfigurationResponse>
Inheritance System.Object → ConfigurationResponse
Implements System.IEquatable<ConfigurationResponse>
Remarks
Decorated with Abblix.Utils.Json.JsonIgnoreNullsAttribute so that all nullable optional properties are omitted
from the serialized JSON when null, rather than emitted as "field": null.
RFC 8414 §2 requires that optional metadata fields be absent when not applicable — some OIDC client libraries
(including Microsoft.IdentityModel) reject a discovery document that contains null values for
fields they do not expect to be present.
Properties
ConfigurationResponse.AcrValuesSupported Property
Lists the ACR (Authentication Context Class Reference) values supported by the OpenID Provider. These values represent authentication assurance levels that can be requested and achieved.
public System.Collections.Generic.IEnumerable<string>? AcrValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.AuthorizationDetailsTypesSupported Property
RFC 9396 §13: the authorization-detail type values this server's host has
registered validators for. The list is projected from the keyed-DI registry of
IAuthorizationDetailValidator so it always
matches what request-time dispatch will accept. Omitted from the emitted discovery
JSON when the list is empty (no per-type validators registered) so the document
follows the OIDC discovery convention: absent = unsupported, not the empty array.
public System.Collections.Generic.IEnumerable<string>? AuthorizationDetailsTypesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.AuthorizationEncryptionAlgValuesSupported Property
Specifies the JWE key-management algorithms (the alg values) the OpenID Provider uses to encrypt
JARM authorization responses (JARM §4).
public System.Collections.Generic.IEnumerable<string>? AuthorizationEncryptionAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.AuthorizationEncryptionEncValuesSupported Property
Specifies the JWE content-encryption algorithms (the enc values) the OpenID Provider uses to
encrypt JARM authorization responses (JARM §4).
public System.Collections.Generic.IEnumerable<string>? AuthorizationEncryptionEncValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.AuthorizationEndpoint Property
The URL of the authorization endpoint through which the provider handles authentication requests and user consent.
public System.Uri? AuthorizationEndpoint { get; init; }
Property Value
ConfigurationResponse.AuthorizationResponseIssParameterSupported Property
Indicates that the server includes the iss parameter in every authorization response per RFC 9207.
Clients that inspect this flag activate mix-up attack defenses.
public System.Nullable<bool> AuthorizationResponseIssParameterSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.AuthorizationSigningAlgValuesSupported Property
Specifies the JWS algorithms the OpenID Provider uses to sign JARM authorization responses (JARM §4).
public System.Collections.Generic.IEnumerable<string>? AuthorizationSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.BackChannelAuthenticationEndpoint Property
The backchannel authentication endpoint for initiating CIBA (Client-Initiated Backchannel Authentication) requests.
public System.Uri? BackChannelAuthenticationEndpoint { get; init; }
Property Value
ConfigurationResponse.BackChannelAuthenticationRequestSigningAlgValuesSupported Property
Lists the supported signing algorithms for backchannel authentication requests.
public System.Collections.Generic.IEnumerable<string>? BackChannelAuthenticationRequestSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.BackChannelLogoutSessionSupported Property
Indicates whether the OpenID Provider supports session management for back channel logout, enabling secure and direct notification of user logout.
public System.Nullable<bool> BackChannelLogoutSessionSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.BackChannelLogoutSupported Property
Indicates whether the OpenID Provider supports back channel logout, allowing clients to log out users through direct back-channel communication.
public System.Nullable<bool> BackChannelLogoutSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.BackChannelTokenDeliveryModesSupported Property
Lists the supported backchannel token delivery modes for client-initiated backchannel authentication.
public System.Collections.Generic.IEnumerable<string>? BackChannelTokenDeliveryModesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.BackChannelUserCodeParameterSupported Property
Indicates whether the OpenID Provider supports the backchannel user code parameter for CIBA.
public System.Nullable<bool> BackChannelUserCodeParameterSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.CheckSessionIframe Property
The URL of the iframe used by the provider to facilitate session management in client applications.
public System.Uri? CheckSessionIframe { get; init; }
Property Value
ConfigurationResponse.ClaimsParameterSupported Property
Indicates whether the OpenID Provider supports the use of the claims parameter, allowing clients to request specific claims in the ID token.
public System.Nullable<bool> ClaimsParameterSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.ClaimsSupported Property
Lists the claims supported by the OpenID Provider, indicating the user information that can be included in the ID token or obtained from the UserInfo endpoint.
public System.Collections.Generic.IEnumerable<string> ClaimsSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.CodeChallengeMethodsSupported Property
Lists the code challenge methods supported by the OpenID Provider for PKCE, enhancing the security of the authorization code flow.
public System.Collections.Generic.IEnumerable<string> CodeChallengeMethodsSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.DeviceAuthorizationEndpoint Property
The URL of the device authorization endpoint as defined in RFC 8628. This endpoint is used to initiate the Device Authorization Grant flow.
public System.Uri? DeviceAuthorizationEndpoint { get; init; }
Property Value
ConfigurationResponse.DpopSigningAlgValuesSupported Property
JWS signing algorithms accepted on inbound DPoP proofs per RFC 9449 §5.1
(dpop_signing_alg_values_supported).
public System.Collections.Generic.IEnumerable<string>? DpopSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.EndSessionEndpoint Property
The URL of the end session endpoint that supports logging out users from the provider.
public System.Uri? EndSessionEndpoint { get; init; }
Property Value
ConfigurationResponse.FrontChannelLogoutSessionSupported Property
Indicates whether the OpenID Provider supports session management for front channel logout, enabling clients to identify which user session is being logged out.
public System.Nullable<bool> FrontChannelLogoutSessionSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.FrontChannelLogoutSupported Property
Indicates whether the OpenID Provider supports front channel logout, allowing clients to log out users across multiple applications.
public System.Nullable<bool> FrontChannelLogoutSupported { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.GrantTypesSupported Property
Lists the grant types supported by the OpenID Provider, defining the methods through which clients can request tokens.
public System.Collections.Generic.IEnumerable<string> GrantTypesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.IdTokenSigningAlgValuesSupported Property
Lists the ID token signing algorithm values supported by the OpenID Provider, indicating the algorithms that can be used to sign the ID token.
public System.Collections.Generic.IEnumerable<string> IdTokenSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.IntrospectionEncryptionAlgValuesSupported Property
Specifies the JWE key-management algorithms (the alg values) the OpenID Provider uses to encrypt
JWT introspection responses (RFC 9701 §7).
public System.Collections.Generic.IEnumerable<string>? IntrospectionEncryptionAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.IntrospectionEncryptionEncValuesSupported Property
Specifies the JWE content-encryption algorithms (the enc values) the OpenID Provider uses to
encrypt JWT introspection responses (RFC 9701 §7).
public System.Collections.Generic.IEnumerable<string>? IntrospectionEncryptionEncValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.IntrospectionEndpoint Property
The URL of the introspection endpoint where clients can obtain information about tokens' current state.
public System.Uri? IntrospectionEndpoint { get; init; }
Property Value
ConfigurationResponse.IntrospectionSigningAlgValuesSupported Property
Specifies the JWS algorithms the OpenID Provider uses to sign JWT introspection responses (RFC 9701 §7).
public System.Collections.Generic.IEnumerable<string>? IntrospectionSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.Issuer Property
The issuer identifier, which uniquely identifies the OpenID Provider. This value must be used by clients when issuing requests to the provider to ensure that the request is directed to the correct entity.
public string Issuer { get; init; }
Property Value
ConfigurationResponse.JwksUri Property
The URL of the OpenID Provider's JSON Web Key Set (JWKS) document. This document contains the provider's public keys, enabling clients to verify signatures and encrypt messages to the provider.
public System.Uri? JwksUri { get; init; }
Property Value
ConfigurationResponse.MtlsEndpointAliases Property
RFC 8705: mTLS endpoint aliases block to advertise alternate endpoints served on an mTLS-bound host.
public Abblix.Oidc.Server.Model.MtlsAliases? MtlsEndpointAliases { get; init; }
Property Value
ConfigurationResponse.PromptValuesSupported Property
Lists the prompt values supported by the OpenID Provider, specifying how the provider should prompt the user during authentication.
public System.Collections.Generic.IEnumerable<string> PromptValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.PushedAuthorizationRequestEndpoint Property
The URL for the Pushed Authorization Request endpoint, which allows clients to pre-register authorization requests.
public System.Uri? PushedAuthorizationRequestEndpoint { get; set; }
Property Value
ConfigurationResponse.RegistrationEndpoint Property
The URL of the client registration endpoint that supports dynamic registration of client applications.
public System.Uri? RegistrationEndpoint { get; init; }
Property Value
ConfigurationResponse.RequestObjectEncryptionAlgValuesSupported Property
Specifies the JWE key-management algorithms (the alg values) the OpenID Provider supports
when a client encrypts a request object to the provider (RFC 9101 §6.1).
public System.Collections.Generic.IEnumerable<string>? RequestObjectEncryptionAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.RequestObjectEncryptionEncValuesSupported Property
Specifies the JWE content-encryption algorithms (the enc values) the OpenID Provider supports
when a client encrypts a request object to the provider (RFC 9101 §6.1).
public System.Collections.Generic.IEnumerable<string>? RequestObjectEncryptionEncValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.RequestObjectSigningAlgValuesSupported Property
Specifies the signing algorithms supported by the OpenID Provider for request objects. These algorithms are used to sign request objects sent to the OpenID Provider, providing security measures against tampering and ensuring the authenticity of the request.
public System.Collections.Generic.IEnumerable<string>? RequestObjectSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.RequestParameterSupported Property
Indicates whether the OpenID Provider supports the use of the request parameter, enabling clients to send a fully self-contained authorization request.
public bool RequestParameterSupported { get; init; }
Property Value
ConfigurationResponse.RequirePushedAuthorizationRequests Property
Indicates whether the provider requires clients to use the Pushed Authorization Requests (PAR) only.
public System.Nullable<bool> RequirePushedAuthorizationRequests { get; set; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.RequireSignedRequestObject Property
Indicates whether the OpenID Provider mandates that all request objects must be signed. This requirement ensures an additional layer of security by verifying the authenticity and integrity of request objects received by the provider.
public System.Nullable<bool> RequireSignedRequestObject { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.ResponseModesSupported Property
Lists the response modes supported by the OpenID Provider, defining how the authorization response should be delivered to the client.
public System.Collections.Generic.IEnumerable<string> ResponseModesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.ResponseTypesSupported Property
Lists the response types supported by the OpenID Provider, indicating the formats that can be used for the authorization response.
public System.Collections.Generic.IEnumerable<string> ResponseTypesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.RevocationEndpoint Property
The URL of the revocation endpoint where clients can revoke access tokens or refresh tokens.
public System.Uri? RevocationEndpoint { get; init; }
Property Value
ConfigurationResponse.ScopesSupported Property
Lists the scopes supported by the OpenID Provider, defining the extent of access granted by the authorization.
public System.Collections.Generic.IEnumerable<string> ScopesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.SignedMetadata Property
RFC 8414 §2.1: a JWS whose payload restates this entire metadata set, signed with the
provider's signing key. When present, a client that verifies the signature against the
keys at JwksUri may trust the configuration's origin beyond the TLS layer;
signed values take precedence over the corresponding plain-JSON fields. Emitted only
when DiscoveryOptions.SignedMetadata is enabled, and computed last so the signed
payload never contains this field itself.
public string? SignedMetadata { get; init; }
Property Value
ConfigurationResponse.SubjectTypesSupported Property
Lists the subject types supported by the OpenID Provider, defining how the subject's identifier is formatted and presented to the client.
public System.Collections.Generic.IEnumerable<string> SubjectTypesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.TlsClientCertificateBoundAccessTokens Property
RFC 8705 §3.3: indicates that the provider supports mutual-TLS client certificate-bound
access tokens. Emitted as true when the provider both issues such tokens and
enforces the binding at its protected resources; omitted otherwise.
public System.Nullable<bool> TlsClientCertificateBoundAccessTokens { get; init; }
Property Value
System.Nullable<System.Boolean>
ConfigurationResponse.TokenEndpoint Property
The URL of the token endpoint where the provider issues tokens (e.g., access tokens, refresh tokens) to clients.
public System.Uri? TokenEndpoint { get; init; }
Property Value
ConfigurationResponse.TokenEndpointAuthMethodsSupported Property
Lists the token endpoint authentication methods supported by the OpenID Provider, specifying how clients authenticate to the token endpoint.
public System.Collections.Generic.IEnumerable<string> TokenEndpointAuthMethodsSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.TokenEndpointAuthSigningAlgValuesSupported Property
Lists the signing algorithms supported by the OpenID Provider for authenticating clients at the token endpoint. These algorithms are used to verify the signatures of the authentication requests sent to the token endpoint, ensuring the integrity and authenticity of the requests.
public System.Collections.Generic.IEnumerable<string>? TokenEndpointAuthSigningAlgValuesSupported { get; init; }
Property Value
System.Collections.Generic.IEnumerable<System.String>
ConfigurationResponse.UserInfoEndpoint Property
The URL of the user information endpoint from which the provider returns claims about the authenticated user.
public System.Uri? UserInfoEndpoint { get; init; }
Property Value
ConfigurationResponse.UserInfoSigningAlgValuesSupported Property
Specifies the signing algorithms supported by the OpenID Provider for user information endpoints. These algorithms are used to sign the data returned from UserInfo endpoints, ensuring data integrity and authentication of the information source.
public System.Collections.Generic.IEnumerable<string>? UserInfoSigningAlgValuesSupported { get; init; }