IdentityModel
Base64Url encoder/decoder
Encodes the specified byte array.
The argument.
Decodes the specified string.
The argument.
Illegal base64url string!
Compares two instances of Claim
Claim comparison options
Specifies if the issuer value is being taken into account
Specifies if claim and issuer value comparison should be case-sensitive
Initializes a new instance of the class with default options.
Initializes a new instance of the class with given comparison options.
Comparison options.
Implementation of based on equality.
Trailing slash is also ignored.
Enum for specifying then encoding style of the basic authentication header
Recommended. Uses the encoding as described in the OAuth 2.0 spec (https://tools.ietf.org/html/rfc6749#section-2.3.1). Base64(urlformencode(client_id) + ":" + urlformencode(client_secret))
Uses the encoding as described in the original basic authentication spec (https://tools.ietf.org/html/rfc2617#section-2 - used by some non-OAuth 2.0 compliant authorization servers). Base64(client_id + ":" + client_secret).
Specifies how the client will transmit client ID and secret
HTTP basic authentication
Post values in body
Options for TokenClient
Options for IntrospectionClient
Base-class protocol client options
Gets or sets the address.
The address.
Gets or sets the client identifier.
The client identifier.
Gets or sets the client secret.
The client secret.
Gets or sets the client assertion.
The assertion.
Gets or sets the client credential style.
The client credential style.
Gets or sets the basic authentication header style.
The basic authentication header style.
Gets or sets additional request parameters (must not conflict with locally set parameters)
The parameters.
Helper for caching discovery documents.
Initialize instance of DiscoveryCache with passed authority.
Base address or discovery document endpoint.
The policy.
Initialize instance of DiscoveryCache with passed authority.
Base address or discovery document endpoint.
The HTTP client function.
The policy.
Frequency to refresh discovery document. Defaults to 24 hours.
Get the DiscoveryResponse either from cache or from discovery endpoint.
Marks the discovery document as stale and will trigger a request to the discovery endpoint on the next request to get the DiscoveryResponse.
Represents a URL to a discovery endpoint - parsed to separate the URL and authority
Parses a URL and turns it into authority and discovery endpoint URL.
The input.
Malformed URL
Determines whether the URL uses http or https.
The URL.
true if [is valid scheme] [the specified URL]; otherwise, false.
Determines whether uses a secure scheme accoding to the policy.
The URL.
The policy.
true if [is secure scheme] [the specified URL]; otherwise, false.
Initializes a new instance of the class.
The authority.
The discovery endpoint URL.
Gets or sets the authority.
The authority.
Gets or sets the discovery endpoint.
The discovery endpoint.
Security policy for retrieving a discovery document
Gets or sets the Authority on which the policy checks will be based on
Strategy used to validate issuer name and endpoints based on expected authority.
Defaults to .
Specifies if HTTPS is enforced on all endpoints. Defaults to true.
Specifies if HTTP is allowed on loopback addresses. Defaults to true.
Specifies valid loopback addresses, defaults to localhost and 127.0.0.1
Specifies if the issuer name is checked to be identical to the authority. Defaults to true.
Specifies if all endpoints are checked to belong to the authority. Defaults to true.
Specifies a list of endpoints that should be excluded from validation
Specifies a list of additional base addresses that should be allowed for endpoints
Specifies if a key set is required. Defaults to true.
Extensions for HttpRequestMessage
Sets a basic authentication header.
The client.
Name of the user.
The password.
Sets a basic authentication header for RFC6749 client authentication.
The client.
Name of the user.
The password.
Sets an authorization header with a given scheme and value.
The client.
The scheme.
The token.
Sets an authorization header with a bearer token.
The client.
The token.
Sets a basic authentication header.
The HTTP request message.
Name of the user.
The password.
Sets a basic authentication header for RFC6749 client authentication.
The HTTP request message.
Name of the user.
The password.
Sets an authorization header with a given scheme and value.
The HTTP request message.
The scheme.
The token.
Sets an authorization header with a bearer token.
The HTTP request message.
The token.
HttpClient extensions for OIDC userinfo
Sends a userinfo request.
The client.
The request.
The cancellation token.
HttpClient extentions for OIDC discovery
Sends a discovery document request
The client.
The address.
The cancellation token.
Sends a discovery document request
The client.
The request.
The cancellation token.
HttpClient extensions for dynamic registration
Send a dynamic registration request.
The client.
The request.
The cancellation token.
HttpClient extentions for OIDC discovery
Sends a JSON web key set document request
The client.
The cancellation token.
Sends a JSON web key set document request
The client.
The request
The cancellation token.
HttpClient extensions for OAuth token introspection
Sends an OAuth token introspection request.
The client.
The request.
The cancellation token.
HttpClient extensions for OAuth token requests
Sends a token request using the client_credentials grant type.
The client.
The request.
The cancellation token.
Sends a token request using the urn:ietf:params:oauth:grant-type:device_code grant type.
The client.
The request.
The cancellation token.
Sends a token request using the password grant type.
The client.
The request.
The cancellation token.
Sends a token request using the authorization_code grant type.
The client.
The request.
The cancellation token.
Sends a token request using the refresh_token grant type.
The client.
The request.
The cancellation token.
Sends a token request.
The client.
The request.
The cancellation token.
Sends a token request.
The client.
The address.
The parameters.
The cancellation token.
parameters
HttpClient extensions for OAuth token revocation
Sends an OAuth token revocation request.
The client.
The request.
The cancellation token.
HttpClient extensions for OIDC userinfo
Sends a userinfo request.
The client.
The request.
The cancellation token.
Extensions for JObject
Converts a JSON claims object to a list of Claim
The json.
Claims that should be excluded.
Tries to get a value from a JObject
The json.
The name.
Tries to get an int from a JObject
The json.
The name.
Tries to get a string from a JObject
The json.
The name.
Tries to get a boolean from a JObject
The json.
The name.
Tries to get a string array from a JObject
The json.
The name.
Extensions for RequestUrl
Creates an authorize URL.
The request.
The values (either using a string Dictionary or an object's properties).
Creates an authorize URL.
The request.
The client identifier.
The response type.
The scope.
The redirect URI.
The state.
The nonce.
The login hint.
The acr values.
The prompt.
The response mode.
The code challenge.
The code challenge method.
The display option.
The max age.
The ui locales.
The id_token hint.
Extra parameters.
Creates a end_session URL.
The request.
The id_token hint.
The post logout redirect URI.
The state.
The extra parameters.
Authority validation strategy.
Validate issuer name found in Discovery Document.
Authority expected.
Authority declared in Discovery Document.
Validate end point found in Discovery Document.
Authority expected.
Endpoint declared in Discovery Document.
Interface for discovery cache
Gets or sets the duration of the cache.
The duration of the cache.
Retrieves the discovery document
Forces a refresh on the next get.
Client library for the OAuth 2 introspection endpoint
ctor
ctor
Sets request parameters from the options.
The request.
The parameters.
Introspects a token
Models the response of an authorize request
Initializes a new instance of the class.
The raw response URL.
Gets the raw response URL.
The raw.
Gets the key/value pairs of the response.
The values.
Gets the authorization code.
The authorization code.
Gets the access token.
The access token.
Gets the identity token.
The identity token.
Gets the error.
The error.
Gets the scope.
The scope.
Gets the type of the token.
The type of the token.
Gets the state.
The state.
Gets the error description.
The error description.
Gets a value indicating whether the response is an error.
true if the response is an error; otherwise, false.
Gets the expires in.
The expires in.
Tries the get a value.
The type.
Request for device authorization
Gets or sets the scope (optional).
The scope.
Models an OAuth device authorization response
Gets the device verification code.
The device code.
Gets the end-user verification code.
The user code.
Gets the end-user verification URI on the authorization server.The URI should be short and easy to remember as end users will be asked to manually type it into their user-agent.
The verification URI.
Gets the verification URI that includes the "user_code" (or other information with the same function as the "user_code"), designed for non-textual transmission.
The complete verification URI.
Gets the lifetime in seconds of the "device_code" and "user_code".
The expires in.
Gets the minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint. If no value is provided, clients MUST use 5 as the default.
The interval.
Gets the error description.
The error description.
Request for OpenID Connect discovery document
Gets or sets the policy.
The policy.
Models the response from an OpenID Connect discovery endpoint
Gets or sets the JSON web key set.
The key set.
Checks if the issuer matches the authority.
The issuer.
The authority.
Checks if the issuer matches the authority.
The issuer.
The authority.
The comparison mechanism that should be used when performing the match.
Checks if the issuer matches the authority.
The issuer.
The authority.
The strategy to use.
Validates the endoints and jwks_uri according to the security policy.
The json.
The policy.
Models an OpenID Connect dynamic client registration request
Request for dynamic client registration
Gets or sets the token.
The token.
Gets or sets the registration request.
The registration request.
Models an OpenID Connect dynamic client registration response
Request for JSON web key set document
Models a response from a JWK endpoint
Intializes the key set
The key set
Models a base OAuth/OIDC request with client credentials
Initializes an the HTTP protocol request and sets the accept header to application/json
Gets or sets the endpoint address (you can also set the RequestUri instead or leave blank to use the HttpClient base address).
The address.
Gets or sets the client identifier.
The client identifier.
Gets or sets the client secret.
The client secret.
Gets or sets the client assertion.
The assertion.
Gets or sets the client credential style (post body vs authorization header).
The client credential style.
Gets or sets the basic authentication header style (classic HTTP vs OAuth 2).
The basic authentication header style.
Gets or sets additional protocol parameters.
The parameters.
Clones this instance.
Clones this instance.
Applies protocol parameters to HTTP request
Models a client assertion
Gets or sets the assertion type.
The type.
Gets or sets the assertion value.
The value.
A protocol response
Initializes a protocol response from an HTTP response
Specific protocol response type
The HTTP response.
The initialization data.
Initializes a protocol response from an exception
The ex.
The error message.
Allows to initialize instance specific data.
The initialization data.
Gets the HTTP response.
The HTTP response.
Gets the raw protocol response (if present).
The raw.
Gets the protocol response as JSON (if present).
The json.
Gets the exception (if present).
The exception.
Gets a value indicating whether an error occurred.
true if an error occurred; otherwise, false.
Gets the type of the error.
The type of the error.
Gets or sets an explicit error message.
The type of the error.
Gets the HTTP status code.
The HTTP status code.
Gets the HTTP error reason.
The HTTP error reason.
Gets the error.
The error.
Tries to get a specific value from the JSON response.
The name.
Various reasons for a protocol endpoint error
none
protocol related - valid response, but some protocol level error.
HTTP error - e.g. 404.
An exception occurred - exception while connecting to the endpoint, e.g. TLS problems.
A policy violation - a configured policy was violated.
Request for OAuth token introspection
Gets or sets the token.
The token.
Gets or sets the token type hint.
The token type hint.
Models an OAuth 2.0 introspection response
Allows to initialize instance specific data.
The initialization data.
Gets a value indicating whether the token is active.
true if the token is active; otherwise, false.
Gets the claims.
The claims.
Request for token
Gets or sets the type of the grant.
The type of the grant.
Request for token using client_credentials
Gets or sets the scope.
The scope.
Request for token using urn:ietf:params:oauth:grant-type:device_code
Gets or sets the device code.
The scope.
Request for token using password
Gets or sets the name of the user.
The name of the user.
Gets or sets the password.
The password.
Gets or sets the scope.
The scope.
Request for token using authorization_code
Gets or sets the code.
The code.
Gets or sets the redirect URI.
The redirect URI.
Gets or sets the code verifier.
The code verifier.
Request for token using refresh_token
Gets or sets the refresh token.
The refresh token.
Gets or sets the scope.
The scope.
Models a response from an OpenID Connect/OAuth 2 token endpoint
Gets the access token.
The access token.
Gets the identity token.
The identity token.
Gets the type of the token.
The type of the token.
Gets the refresh token.
The refresh token.
Gets the error description.
The error description.
Gets the expires in.
The expires in.
Request for OAuth token revocation
Gets or sets the token.
The token.
Gets or sets the token type hint.
The token type hint.
Models an OAuth 2.0 token revocation response
Request for OIDC userinfo
Gets or sets the token.
The token.
Models an OpenID Connect userinfo response
Allows to initialize instance specific data.
The initialization data.
Gets the claims.
The claims.
Helper class for creating request URLs
Initializes a new instance of the class.
The authorize endpoint.
Creates URL based on key/value input pairs.
The values (either as a Dictionary of string/string or as a type with properties).
Implementation of based on .
Constructor with argument.
String comparison between issuer and authority (trailing slash ignored).
String "starts with" comparison between endpoint and allowed authorities.
Client library for the OpenID Connect / OAuth 2 token endpoint
Initializes a new instance of the class.
The client.
The options.
client
Initializes a new instance of the class.
The client func.
The options.
client
Sets request parameters from the options.
The request.
The parameters.
Sends a token request using the client_credentials grant type.
The scope (space separated string).
Extra parameters.
The cancellation token.
Sends a token request using the urn:ietf:params:oauth:grant-type:device_code grant type.
The device code.
Extra parameters.
The cancellation token.
Sends a token request using the password grant type.
Name of the user.
The password.
The scope (space separated string).
Extra parameters.
The cancellation token.
Sends a token request using the authorization_code grant type.
The code.
The redirect URI.
The code verifier.
The parameters.
The cancellation token.
Sends a token request using the refresh_token grant type.
The refresh token.
The scope (space separated string).
Extra parameters.
The cancellation token.
Sends a token request.
Type of the grant.
Extra parameters.
The cancellation token.
A class that mimics the standard Random class in the .NET Framework - but uses a random number generator internally.
Output format for unique IDs
URL-safe Base64
Base64
Hex
Creates a random key byte array.
The length.
Creates a URL safe unique identifier.
The length.
The output format
Initializes a new instance of the class.
Initializes a new instance of the class.
seed (ignored)
Returns a nonnegative random number.
A 32-bit signed integer greater than or equal to zero and less than .
Returns a nonnegative random number less than the specified maximum.
The exclusive upper bound of the random number to be generated. must be greater than or equal to zero.
A 32-bit signed integer greater than or equal to zero, and less than ; that is, the range of return values ordinarily includes zero but not . However, if equals zero, is returned.
is less than zero.
Returns a random number within a specified range.
The inclusive lower bound of the random number returned.
The exclusive upper bound of the random number returned. must be greater than or equal to .
A 32-bit signed integer greater than or equal to and less than ; that is, the range of return values includes but not . If equals , is returned.
is greater than .
Returns a random number between 0.0 and 1.0.
A double-precision floating point number greater than or equal to 0.0, and less than 1.0.
Fills the elements of a specified array of bytes with random numbers.
An array of bytes to contain random numbers.
is null.
Extensions for converting epoch/unix time to DateTime and DateTimeOffset
Converts the given date value to epoch time.
Converts the given epoch time to a with kind.
Helpers to create ClaimsIdentity
Creates an anonymous claims identity.
The anonymous.
Creates a ClaimsIdentity using the specified authentication type and claims.
Type of the authentication.
The claims.
Creates a ClaimsIdentity based on information found in an X509 certificate.
The certificate.
Type of the authentication.
if set to true [include all claims].
Append the given query key and value to the URI.
The base URI.
The name of the query key.
The query value.
The combined result.
Append the given query keys and values to the uri.
The base uri.
A collection of name value query pairs to append.
The combined result.
Helpers to deal with tasks.
Gets or sets if this library's internal tasks can call ConfigureAwait(false).
Gets or sets if this library's internal tasks can call .
Helpers to deal with key/value pairs
Converts an object to a dictionary.
The values.
Merges two dictionaries
The explicit values.
The additional values.
Constants for JsonWebAlgorithms "kty" Key Type (sec 6.1)
http://tools.ietf.org/html/rfc7518#section-6.1
Represents a Json Web Key as defined in http://tools.ietf.org/html/rfc7517.
Initializes an new instance of .
Initializes an new instance of from a json string.
a string that contains JSON Web Key parameters in JSON format.
Gets or sets the 'alg' (KeyType)..
Gets or sets the 'crv' (ECC - Curve)..
Gets or sets the 'd' (ECC - Private Key OR RSA - Private Exponent)..
value is formated as: Base64urlUInt
Gets or sets the 'dp' (RSA - First Factor CRT Exponent)..
value is formated as: Base64urlUInt
Gets or sets the 'dq' (RSA - Second Factor CRT Exponent)..
value is formated as: Base64urlUInt
Gets or sets the 'e' (RSA - Exponent)..
Gets or sets the 'k' (Symmetric - Key Value)..
Base64urlEncoding
Gets or sets the 'key_ops' (Key Operations)..
Gets or sets the 'kid' (Key ID)..
Gets or sets the 'kty' (Key Type)..
Gets or sets the 'n' (RSA - Modulus)..
value is formated as: Base64urlEncoding
Gets or sets the 'oth' (RSA - Other Primes Info)..
Gets or sets the 'p' (RSA - First Prime Factor)..
value is formated as: Base64urlUInt
Gets or sets the 'q' (RSA - Second Prime Factor)..
value is formated as: Base64urlUInt
Gets or sets the 'qi' (RSA - First CRT Coefficient)..
value is formated as: Base64urlUInt
Gets or sets the 'use' (Public Key Use)..
Gets or sets the 'x' (ECC - X Coordinate)..
value is formated as: Base64urlEncoding
Gets the 'x5c' collection (X.509 Certificate Chain)..
Gets or sets the 'x5t' (X.509 Certificate SHA-1 thumbprint)..
Gets or sets the 'x5t#S256' (X.509 Certificate SHA-1 thumbprint)..
Gets or sets the 'x5u' (X.509 URL)..
Gets or sets the 'y' (ECC - Y Coordinate)..
value is formated as: Base64urlEncoding
Names for Json Web Key Values
Contains a collection of that can be populated from a json string.
Initializes an new instance of .
Initializes an new instance of from a json string.
a json string containing values.
if 'json' is null or whitespace.
Gets the .
Extensions for JsonWebKey
Converts a JSON web key to a URL safe string.
The key.
Commonly used claim types
Unique Identifier for the End-User at the Issuer.
End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The relying party MUST NOT rely upon this value being unique
The RP MUST NOT rely upon this value being unique, as discussed in http://openid.net/specs/openid-connect-basic-1_0-32.html#ClaimStability
URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image.
Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The relying party MUST NOT rely upon this value being unique
"true" if the End-User's e-mail address has been verified; otherwise "false".
When this Claim Value is "true", this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
End-User's gender. Values defined by this specification are "female" and "male". Other values MAY be used when neither of the defined values are applicable.
End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
String from the time zone database (http://www.twinsun.com/tz/tz-link.htm) representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.
End-User's preferred telephone number. E.164 (https://www.itu.int/rec/T-REC-E.164/e) is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed.
The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
End-User's preferred postal address. The value of the address member is a JSON structure containing some or all of the members defined in http://openid.net/specs/openid-connect-basic-1_0-32.html#AddressClaim
Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
The time before which the JWT MUST NOT be accepted for processing, specified as the number of seconds from 1970-01-01T0:0:0Z
The exp (expiration time) claim identifies the expiration time on or after which the token MUST NOT be accepted for processing, specified as the number of seconds from 1970-01-01T0:0:0Z
Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
The iat (issued at) claim identifies the time at which the JWT was issued, , specified as the number of seconds from 1970-01-01T0:0:0Z
Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication.
Session identifier. This represents a Session of an OP at an RP to a User Agent or device for a logged-in End-User. Its contents are unique to the OP and opaque to the RP.
Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied.
The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1.
Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.
Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value.
(This corresponds to the OpenID 2.0 PAPE nist_auth_level 0.)
An absolute URI or an RFC 6711 registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered.
Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific.
The acr value is a case sensitive string.
Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL.
The party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
Access Token hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string.
Code hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url encode them. The c_hash value is a case sensitive string.
State hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the state value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url encode them. The c_hash value is a case sensitive string.
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties; any such negotiation is beyond the scope of this specification.
Defines a set of event statements that each may add additional claims to fully describe a single logical event that has occurred.
OAuth 2.0 Client Identifier valid at the Authorization Server.
OpenID Connect requests MUST contain the "openid" scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.
The "act" (actor) claim provides a means within a JWT to express that delegation has occurred and identify the acting party to whom authority has been delegated.The "act" claim value is a JSON object and members in the JSON object are claims that identify the actor. The claims that make up the "act" claim identify and possibly provide additional information about the actor.
The "may_act" claim makes a statement that one party is authorized to become the actor and act on behalf of another party. The claim value is a JSON object and members in the JSON object are claims that identify the party that is asserted as being eligible to act for the party identified by the JWT containing the claim.
an identifier
The identity provider
The role
The reference token identifier
The confirmation
REQUIRED. Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the behavior is entirely unspecified.
OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
OPTIONAL. This scope value requests access to the email and email_verified Claims.
OPTIONAL. This scope value requests access to the address Claim.
OPTIONAL. This scope value requests access to the phone_number and phone_number_verified Claims.
This scope value MUST NOT be used with the OpenID Connect Implicit Client Implementer's Guide 1.0. See the OpenID Connect Basic Client Implementer's Guide 1.0 (http://openid.net/specs/openid-connect-implicit-1_0.html#OpenID.Basic) for its usage in that subset of OpenID Connect.
Helper class to create ClaimsPrincipal
Gets an anoymous ClaimsPrincipal.
Creates a ClaimsPrincipal using the specified authentication type and claims.
Type of the authentication.
The claims.
Creates a ClaimsPrincipal based on information found in an X509 certificate.
The certificate.
Type of the authentication.
if set to true [include all claims].
Extensions for strings
Creates a SHA256 hash of the specified input.
The input.
A hash
Creates a SHA512 hash of the specified input.
The input.
A hash
Helper class to do equality checks without leaking timing information
Checks two strings for equality without leaking timing information.
string 1.
string 2.
true if the specified strings are equal; otherwise, false.
HTTP Basic Authentication authorization header
Initializes a new instance of the class.
Name of the user.
The password.
Encodes the credential.
Name of the user.
The password.
userName
HTTP Basic Authentication authorization header for RFC6749 client authentication
Initializes a new instance of the class.
Name of the user.
The password.
Encodes the credential.
Name of the user.
The password.
userName