Skip to main content

ConfigurationResponse Class

Abblix.Oidc.Server

Abblix.Oidc.Server.Model

ConfigurationResponse Class

The OpenID Provider discovery document returned by the /.well-known/openid-configuration endpoint, as defined by OpenID Connect Discovery 1.0 §3 and OAuth 2.0 Authorization Server Metadata (RFC 8414). Its content lists the provider's endpoints, supported algorithms, response types, scopes, and feature flags so that relying parties can configure themselves dynamically.

public record ConfigurationResponse : System.IEquatable<Abblix.Oidc.Server.Model.ConfigurationResponse>

Inheritance System.Object → ConfigurationResponse

Implements System.IEquatable<ConfigurationResponse>

Remarks

Decorated with Abblix.Utils.Json.JsonIgnoreNullsAttribute so that all nullable optional properties are omitted from the serialized JSON when null, rather than emitted as "field": null. RFC 8414 §2 requires that optional metadata fields be absent when not applicable — some OIDC client libraries (including Microsoft.IdentityModel) reject a discovery document that contains null values for fields they do not expect to be present.

Properties

ConfigurationResponse.AcrValuesSupported Property

Lists the ACR (Authentication Context Class Reference) values supported by the OpenID Provider. These values represent authentication assurance levels that can be requested and achieved.

public System.Collections.Generic.IEnumerable<string>? AcrValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.AuthorizationDetailsTypesSupported Property

RFC 9396 §13: the authorization-detail type values this server's host has registered validators for. The list is projected from the keyed-DI registry of IAuthorizationDetailValidator so it always matches what request-time dispatch will accept. Omitted from the emitted discovery JSON when the list is empty (no per-type validators registered) so the document follows the OIDC discovery convention: absent = unsupported, not the empty array.

public System.Collections.Generic.IEnumerable<string>? AuthorizationDetailsTypesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.AuthorizationEncryptionAlgValuesSupported Property

Specifies the JWE key-management algorithms (the alg values) the OpenID Provider uses to encrypt JARM authorization responses (JARM §4).

public System.Collections.Generic.IEnumerable<string>? AuthorizationEncryptionAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.AuthorizationEncryptionEncValuesSupported Property

Specifies the JWE content-encryption algorithms (the enc values) the OpenID Provider uses to encrypt JARM authorization responses (JARM §4).

public System.Collections.Generic.IEnumerable<string>? AuthorizationEncryptionEncValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.AuthorizationEndpoint Property

The URL of the authorization endpoint through which the provider handles authentication requests and user consent.

public System.Uri? AuthorizationEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.AuthorizationResponseIssParameterSupported Property

Indicates that the server includes the iss parameter in every authorization response per RFC 9207. Clients that inspect this flag activate mix-up attack defenses.

public System.Nullable<bool> AuthorizationResponseIssParameterSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.AuthorizationSigningAlgValuesSupported Property

Specifies the JWS algorithms the OpenID Provider uses to sign JARM authorization responses (JARM §4).

public System.Collections.Generic.IEnumerable<string>? AuthorizationSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.BackChannelAuthenticationEndpoint Property

The backchannel authentication endpoint for initiating CIBA (Client-Initiated Backchannel Authentication) requests.

public System.Uri? BackChannelAuthenticationEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.BackChannelAuthenticationRequestSigningAlgValuesSupported Property

Lists the supported signing algorithms for backchannel authentication requests.

public System.Collections.Generic.IEnumerable<string>? BackChannelAuthenticationRequestSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.BackChannelLogoutSessionSupported Property

Indicates whether the OpenID Provider supports session management for back channel logout, enabling secure and direct notification of user logout.

public System.Nullable<bool> BackChannelLogoutSessionSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.BackChannelLogoutSupported Property

Indicates whether the OpenID Provider supports back channel logout, allowing clients to log out users through direct back-channel communication.

public System.Nullable<bool> BackChannelLogoutSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.BackChannelTokenDeliveryModesSupported Property

Lists the supported backchannel token delivery modes for client-initiated backchannel authentication.

public System.Collections.Generic.IEnumerable<string>? BackChannelTokenDeliveryModesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.BackChannelUserCodeParameterSupported Property

Indicates whether the OpenID Provider supports the backchannel user code parameter for CIBA.

public System.Nullable<bool> BackChannelUserCodeParameterSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.CheckSessionIframe Property

The URL of the iframe used by the provider to facilitate session management in client applications.

public System.Uri? CheckSessionIframe { get; init; }

Property Value

System.Uri

ConfigurationResponse.ClaimsParameterSupported Property

Indicates whether the OpenID Provider supports the use of the claims parameter, allowing clients to request specific claims in the ID token.

public System.Nullable<bool> ClaimsParameterSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.ClaimsSupported Property

Lists the claims supported by the OpenID Provider, indicating the user information that can be included in the ID token or obtained from the UserInfo endpoint.

public System.Collections.Generic.IEnumerable<string> ClaimsSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.CodeChallengeMethodsSupported Property

Lists the code challenge methods supported by the OpenID Provider for PKCE, enhancing the security of the authorization code flow.

public System.Collections.Generic.IEnumerable<string> CodeChallengeMethodsSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.DeviceAuthorizationEndpoint Property

The URL of the device authorization endpoint as defined in RFC 8628. This endpoint is used to initiate the Device Authorization Grant flow.

public System.Uri? DeviceAuthorizationEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.DpopSigningAlgValuesSupported Property

JWS signing algorithms accepted on inbound DPoP proofs per RFC 9449 §5.1 (dpop_signing_alg_values_supported).

public System.Collections.Generic.IEnumerable<string>? DpopSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.EndSessionEndpoint Property

The URL of the end session endpoint that supports logging out users from the provider.

public System.Uri? EndSessionEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.FrontChannelLogoutSessionSupported Property

Indicates whether the OpenID Provider supports session management for front channel logout, enabling clients to identify which user session is being logged out.

public System.Nullable<bool> FrontChannelLogoutSessionSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.FrontChannelLogoutSupported Property

Indicates whether the OpenID Provider supports front channel logout, allowing clients to log out users across multiple applications.

public System.Nullable<bool> FrontChannelLogoutSupported { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.GrantTypesSupported Property

Lists the grant types supported by the OpenID Provider, defining the methods through which clients can request tokens.

public System.Collections.Generic.IEnumerable<string> GrantTypesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.IdTokenSigningAlgValuesSupported Property

Lists the ID token signing algorithm values supported by the OpenID Provider, indicating the algorithms that can be used to sign the ID token.

public System.Collections.Generic.IEnumerable<string> IdTokenSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.IntrospectionEncryptionAlgValuesSupported Property

Specifies the JWE key-management algorithms (the alg values) the OpenID Provider uses to encrypt JWT introspection responses (RFC 9701 §7).

public System.Collections.Generic.IEnumerable<string>? IntrospectionEncryptionAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.IntrospectionEncryptionEncValuesSupported Property

Specifies the JWE content-encryption algorithms (the enc values) the OpenID Provider uses to encrypt JWT introspection responses (RFC 9701 §7).

public System.Collections.Generic.IEnumerable<string>? IntrospectionEncryptionEncValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.IntrospectionEndpoint Property

The URL of the introspection endpoint where clients can obtain information about tokens' current state.

public System.Uri? IntrospectionEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.IntrospectionSigningAlgValuesSupported Property

Specifies the JWS algorithms the OpenID Provider uses to sign JWT introspection responses (RFC 9701 §7).

public System.Collections.Generic.IEnumerable<string>? IntrospectionSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.Issuer Property

The issuer identifier, which uniquely identifies the OpenID Provider. This value must be used by clients when issuing requests to the provider to ensure that the request is directed to the correct entity.

public string Issuer { get; init; }

Property Value

System.String

ConfigurationResponse.JwksUri Property

The URL of the OpenID Provider's JSON Web Key Set (JWKS) document. This document contains the provider's public keys, enabling clients to verify signatures and encrypt messages to the provider.

public System.Uri? JwksUri { get; init; }

Property Value

System.Uri

ConfigurationResponse.MtlsEndpointAliases Property

RFC 8705: mTLS endpoint aliases block to advertise alternate endpoints served on an mTLS-bound host.

public Abblix.Oidc.Server.Model.MtlsAliases? MtlsEndpointAliases { get; init; }

Property Value

MtlsAliases

ConfigurationResponse.PromptValuesSupported Property

Lists the prompt values supported by the OpenID Provider, specifying how the provider should prompt the user during authentication.

public System.Collections.Generic.IEnumerable<string> PromptValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.PushedAuthorizationRequestEndpoint Property

The URL for the Pushed Authorization Request endpoint, which allows clients to pre-register authorization requests.

public System.Uri? PushedAuthorizationRequestEndpoint { get; set; }

Property Value

System.Uri

ConfigurationResponse.RegistrationEndpoint Property

The URL of the client registration endpoint that supports dynamic registration of client applications.

public System.Uri? RegistrationEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.RequestObjectEncryptionAlgValuesSupported Property

Specifies the JWE key-management algorithms (the alg values) the OpenID Provider supports when a client encrypts a request object to the provider (RFC 9101 §6.1).

public System.Collections.Generic.IEnumerable<string>? RequestObjectEncryptionAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.RequestObjectEncryptionEncValuesSupported Property

Specifies the JWE content-encryption algorithms (the enc values) the OpenID Provider supports when a client encrypts a request object to the provider (RFC 9101 §6.1).

public System.Collections.Generic.IEnumerable<string>? RequestObjectEncryptionEncValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.RequestObjectSigningAlgValuesSupported Property

Specifies the signing algorithms supported by the OpenID Provider for request objects. These algorithms are used to sign request objects sent to the OpenID Provider, providing security measures against tampering and ensuring the authenticity of the request.

public System.Collections.Generic.IEnumerable<string>? RequestObjectSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.RequestParameterSupported Property

Indicates whether the OpenID Provider supports the use of the request parameter, enabling clients to send a fully self-contained authorization request.

public bool RequestParameterSupported { get; init; }

Property Value

System.Boolean

ConfigurationResponse.RequirePushedAuthorizationRequests Property

Indicates whether the provider requires clients to use the Pushed Authorization Requests (PAR) only.

public System.Nullable<bool> RequirePushedAuthorizationRequests { get; set; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.RequireSignedRequestObject Property

Indicates whether the OpenID Provider mandates that all request objects must be signed. This requirement ensures an additional layer of security by verifying the authenticity and integrity of request objects received by the provider.

public System.Nullable<bool> RequireSignedRequestObject { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.ResponseModesSupported Property

Lists the response modes supported by the OpenID Provider, defining how the authorization response should be delivered to the client.

public System.Collections.Generic.IEnumerable<string> ResponseModesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.ResponseTypesSupported Property

Lists the response types supported by the OpenID Provider, indicating the formats that can be used for the authorization response.

public System.Collections.Generic.IEnumerable<string> ResponseTypesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.RevocationEndpoint Property

The URL of the revocation endpoint where clients can revoke access tokens or refresh tokens.

public System.Uri? RevocationEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.ScopesSupported Property

Lists the scopes supported by the OpenID Provider, defining the extent of access granted by the authorization.

public System.Collections.Generic.IEnumerable<string> ScopesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.SignedMetadata Property

RFC 8414 §2.1: a JWS whose payload restates this entire metadata set, signed with the provider's signing key. When present, a client that verifies the signature against the keys at JwksUri may trust the configuration's origin beyond the TLS layer; signed values take precedence over the corresponding plain-JSON fields. Emitted only when DiscoveryOptions.SignedMetadata is enabled, and computed last so the signed payload never contains this field itself.

public string? SignedMetadata { get; init; }

Property Value

System.String

ConfigurationResponse.SubjectTypesSupported Property

Lists the subject types supported by the OpenID Provider, defining how the subject's identifier is formatted and presented to the client.

public System.Collections.Generic.IEnumerable<string> SubjectTypesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.TlsClientCertificateBoundAccessTokens Property

RFC 8705 §3.3: indicates that the provider supports mutual-TLS client certificate-bound access tokens. Emitted as true when the provider both issues such tokens and enforces the binding at its protected resources; omitted otherwise.

public System.Nullable<bool> TlsClientCertificateBoundAccessTokens { get; init; }

Property Value

System.Nullable<System.Boolean>

ConfigurationResponse.TokenEndpoint Property

The URL of the token endpoint where the provider issues tokens (e.g., access tokens, refresh tokens) to clients.

public System.Uri? TokenEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.TokenEndpointAuthMethodsSupported Property

Lists the token endpoint authentication methods supported by the OpenID Provider, specifying how clients authenticate to the token endpoint.

public System.Collections.Generic.IEnumerable<string> TokenEndpointAuthMethodsSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.TokenEndpointAuthSigningAlgValuesSupported Property

Lists the signing algorithms supported by the OpenID Provider for authenticating clients at the token endpoint. These algorithms are used to verify the signatures of the authentication requests sent to the token endpoint, ensuring the integrity and authenticity of the requests.

public System.Collections.Generic.IEnumerable<string>? TokenEndpointAuthSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>

ConfigurationResponse.UserInfoEndpoint Property

The URL of the user information endpoint from which the provider returns claims about the authenticated user.

public System.Uri? UserInfoEndpoint { get; init; }

Property Value

System.Uri

ConfigurationResponse.UserInfoSigningAlgValuesSupported Property

Specifies the signing algorithms supported by the OpenID Provider for user information endpoints. These algorithms are used to sign the data returned from UserInfo endpoints, ensuring data integrity and authentication of the information source.

public System.Collections.Generic.IEnumerable<string>? UserInfoSigningAlgValuesSupported { get; init; }

Property Value

System.Collections.Generic.IEnumerable<System.String>