IdentityModel
Base64Url encoder/decoder
Encodes the specified byte array.
The argument.
Decodes the specified string.
The argument.
Illegal base64url string!
Compares two instances of Claim
Claim comparison options
Specifies if the issuer value is being taken into account
Specifies if claim and issuer value comparison should be case-sensitive
Initializes a new instance of the class with default options.
Initializes a new instance of the class with given comparison options.
Comparison options.
Implementation of based on equality.
Trailing slash is also ignored.
Enum for specifying then encoding style of the basic authentication header
Recommended. Uses the encoding as described in the OAuth 2.0 spec (https://tools.ietf.org/html/rfc6749#section-2.3.1). Base64(urlformencode(client_id) + ":" + urlformencode(client_secret))
Uses the encoding as described in the original basic authentication spec (https://tools.ietf.org/html/rfc2617#section-2 - used by some non-OAuth 2.0 compliant authorization servers). Base64(client_id + ":" + client_secret).
Specifies how the client will transmit client ID and secret
HTTP basic authentication
Post values in body
Options for TokenClient
Options for IntrospectionClient
Base-class protocol client options
Gets or sets the address.
The address.
Gets or sets the client identifier.
The client identifier.
Gets or sets the client secret.
The client secret.
Gets or sets the client assertion.
The assertion.
Gets or sets the client credential style.
The client credential style.
Gets or sets the basic authentication header style.
The basic authentication header style.
Gets or sets additional request parameters (must not conflict with locally set parameters)
The parameters.
Helper for caching discovery documents.
Initialize instance of DiscoveryCache with passed authority.
Base address or discovery document endpoint.
The policy.
Initialize instance of DiscoveryCache with passed authority.
Base address or discovery document endpoint.
The HTTP client function.
The policy.
Frequency to refresh discovery document. Defaults to 24 hours.
Get the DiscoveryResponse either from cache or from discovery endpoint.
Marks the discovery document as stale and will trigger a request to the discovery endpoint on the next request to get the DiscoveryResponse.
Represents a URL to a discovery endpoint - parsed to separate the URL and authority
Parses a URL and turns it into authority and discovery endpoint URL.
The input.
The path to the discovery document. If not specified this defaults to .well-known/open-id-configuration
Malformed URL
Determines whether the URL uses http or https.
The URL.
true if [is valid scheme] [the specified URL]; otherwise, false.
Determines whether uses a secure scheme accoding to the policy.
The URL.
The policy.
true if [is secure scheme] [the specified URL]; otherwise, false.
Initializes a new instance of the class.
The authority.
The discovery endpoint URL.
Gets or sets the authority.
The authority.
Gets or sets the discovery endpoint.
The discovery endpoint.
Security policy for retrieving a discovery document
Gets or sets the Authority on which the policy checks will be based on
The path of the discovery document. Defaults to /.well-known/openid-configuration.
Strategy used to validate issuer name and endpoints based on expected authority.
Defaults to .
Specifies if HTTPS is enforced on all endpoints. Defaults to true.
Specifies if HTTP is allowed on loopback addresses. Defaults to true.
Specifies valid loopback addresses, defaults to localhost and 127.0.0.1
Specifies if the issuer name is checked to be identical to the authority. Defaults to true.
Specifies if all endpoints are checked to belong to the authority. Defaults to true.
Specifies a list of endpoints that should be excluded from validation
Specifies a list of additional base addresses that should be allowed for endpoints
Specifies if a key set is required. Defaults to true.
Extensions for HttpRequestMessage
Sets a basic authentication header.
The client.
Name of the user.
The password.
Sets a basic authentication header for RFC6749 client authentication.
The client.
Name of the user.
The password.
Sets an authorization header with a given scheme and value.
The client.
The scheme.
The token.
Sets an authorization header with a bearer token.
The client.
The token.
Sets a basic authentication header.
The HTTP request message.
Name of the user.
The password.
Sets a basic authentication header for RFC6749 client authentication.
The HTTP request message.
Name of the user.
The password.
Sets an authorization header with a given scheme and value.
The HTTP request message.
The scheme.
The token.
Sets an authorization header with a bearer token.
The HTTP request message.
The token.
Sets an authorization header with a DPoP token, and the DPoP proof token header with a proof token.
The HTTP request message.
The access token.
The proof token.
HttpClient extensions CIBA backchannel authentication
Sends a CIBA backchannel authentication request
The client.
The request.
The cancellation token.
HttpClient extensions for OIDC userinfo
Sends a userinfo request.
The client.
The request.
The cancellation token.
HttpClient extentions for OIDC discovery
Sends a discovery document request
The client.
The address.
The cancellation token.
Sends a discovery document request
The client.
The request.
The cancellation token.
HttpClient extensions for dynamic registration
Send a dynamic registration request.
The client.
The request.
The cancellation token.
HttpClient extentions for OIDC discovery
Sends a JSON web key set document request
The client.
The cancellation token.
Sends a JSON web key set document request
The client.
The request
The cancellation token.
HttpClient extensions for OAuth token introspection
Sends an OAuth token introspection request.
The client.
The request.
The cancellation token.
HttpClient extensions for OAuth token requests
Sends a token request using the client_credentials grant type.
The client.
The request.
The cancellation token.
Sends a token request using the urn:ietf:params:oauth:grant-type:device_code grant type.
The client.
The request.
The cancellation token.
Sends a token request using the password grant type.
The client.
The request.
The cancellation token.
Sends a token request using the authorization_code grant type.
The client.
The request.
The cancellation token.
Sends a token request using the refresh_token grant type.
The client.
The request.
The cancellation token.
Sends a token exchange request.
The client.
The request.
The cancellation token.
Sends a token request using the urn:openid:params:grant-type:ciba grant type.
The client.
The request.
The cancellation token.
Sends a token request.
The client.
The request.
The cancellation token.
Sends a token request.
The client.
The address.
The parameters.
The cancellation token.
parameters
HttpClient extensions for OAuth token revocation
Sends an OAuth token revocation request.
The client.
The request.
The cancellation token.
HttpClient extensions for OIDC userinfo
Sends a userinfo request.
The client.
The request.
The cancellation token.
Extensions for JObject
Converts a JSON claims object to a list of Claim
The json.
Optional issuer name to add to claims.
Claims that should be excluded.
Tries to get a value from a JObject
The json.
The name.
Tries to get an int from a JObject
The json.
The name.
Tries to get a string from a JObject
The json.
The name.
Tries to get a boolean from a JObject
The json.
The name.
Tries to get a string array from a JObject
The json.
The name.
Extensions for RequestUrl
Creates an authorize URL.
The request.
The parameters.
Creates an authorize URL.
The request.
The client identifier.
The response type.
The scope.
The redirect URI.
The state.
The nonce.
The login hint.
The acr values.
The prompt.
The response mode.
The code challenge.
The code challenge method.
The display option.
The max age.
The ui locales.
The id_token hint.
Extra parameters.
Creates a end_session URL.
The request.
The id_token hint.
The post logout redirect URI.
The state.
The extra parameters.
Authority validation strategy.
Validate issuer name found in Discovery Document.
Authority expected.
Authority declared in Discovery Document.
Validate end point found in Discovery Document.
Authority expected.
Endpoint declared in Discovery Document.
Interface for discovery cache
Gets or sets the duration of the cache.
The duration of the cache.
Retrieves the discovery document
Forces a refresh on the next get.
Client library for the OAuth 2 introspection endpoint
ctor
ctor
Sets request parameters from the options.
The request.
The parameters.
Introspects a token
Request for token using authorization_code
Gets or sets the code.
The code.
Gets or sets the redirect URI.
The redirect URI.
List of requested resources
The scope.
Gets or sets the code verifier.
The code verifier.
Models the response of an authorize request
Initializes a new instance of the class.
The raw response URL.
Gets the raw response URL.
The raw.
Gets the key/value pairs of the response.
The values.
Gets the authorization code.
The authorization code.
Gets the access token.
The access token.
Gets the identity token.
The identity token.
Gets the error.
The error.
Gets the scope.
The scope.
Gets the type of the token.
The type of the token.
Gets the state.
The state.
Gets the session state.
The session state.
Gets the issuer name.
The issuer name.
Gets the error description.
The error description.
Gets a value indicating whether the response is an error.
true if the response is an error; otherwise, false.
Gets the expires in.
The expires in.
Tries the get a value.
The type.
Request for CIBA backchannel authentication
REQUIRED. The scope of the access request as described by Section 3.3 of RFC6749.
REQUIRED if the Client is registered to use Ping or Push modes.
It is a bearer token provided by the Client that will be used by the OpenID Provider to authenticate the callback request to the Client.
The length of the token MUST NOT exceed 1024 characters and it MUST conform to the syntax for Bearer credentials as defined in Section 2.1 of RFC6750.
OPTIONAL. Requested Authentication Context Class Reference values.
A space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference.
OPTIONAL. A token containing information identifying the end-user for whom authentication is being requested.
OPTIONAL. An ID Token previously issued to the Client by the OpenID Provider being passed back as a hint to identify the end-user for whom authentication is being requested.
OPTIONAL. A hint to the OpenID Provider regarding the end-user for whom authentication is being requested.
OPTIONAL. A human-readable identifier or message intended to be displayed on both the consumption device and the authentication device to interlock them together for the transaction by way of a visual cue for the end-user.
OPTIONAL. A secret code, such as a password or pin, that is known only to the user but verifiable by the OP.
OPTIONAL. A positive integer allowing the client to request the expires_in value for the auth_req_id the server will return.
OPTIONAL. A signed authentication request is made by encoding all of the authentication request parameters as claims of a signed JWT with each parameter name as the claim name and its value as a JSON string.
List of requested resources
The resources.
Models a CIBA backchannel authentication response
REQUIRED. This is a unique identifier to identify the authentication request made by the Client.
REQUIRED. A JSON number with a positive integer value indicating the expiration time of the "auth_req_id" in seconds since the authentication request was received.
OPTIONAL. A JSON number with a positive integer value indicating the minimum amount of time in seconds that the Client MUST wait between polling requests to the token endpoint.
Request for token using urn:openid:params:grant-type:ciba grant type
REQUIRED. It is the unique identifier to identify the authentication request (transaction) made by the Client.
List of requested resources
The resources.
Models a client assertion
Gets or sets the assertion type.
The type.
Gets or sets the assertion value.
The value.
Request for token using client_credentials
Space separated list of the requested scopes
The scope.
List of requested resources
The scope.
Request for device authorization
Space separated list of the requested scopes (optional).
The scope.
Models an OAuth device authorization response
Gets the device verification code.
The device code.
Gets the end-user verification code.
The user code.
Gets the end-user verification URI on the authorization server.The URI should be short and easy to remember as end users will be asked to manually type it into their user-agent.
The verification URI.
Gets the verification URI that includes the "user_code" (or other information with the same function as the "user_code"), designed for non-textual transmission.
The complete verification URI.
Gets the lifetime in seconds of the "device_code" and "user_code".
The expires in.
Gets the minimum amount of time in seconds that the client SHOULD wait between polling requests to the token endpoint. If no value is provided, clients MUST use 5 as the default.
The interval.
Gets the error description.
The error description.
Request for token using urn:ietf:params:oauth:grant-type:device_code
Gets or sets the device code.
The scope.
Request for OpenID Connect discovery document
Gets or sets the policy.
The policy.
Models the response from an OpenID Connect discovery endpoint
Gets or sets the JSON web key set.
The key set.
Gets the MTLS endpoint aliases
The key set.
Checks if the issuer matches the authority.
The issuer.
The authority.
Checks if the issuer matches the authority.
The issuer.
The authority.
The comparison mechanism that should be used when performing the match.
Checks if the issuer matches the authority.
The issuer.
The authority.
The strategy to use.
Validates the endoints and jwks_uri according to the security policy.
The json.
The policy.
Models an OpenID Connect dynamic client registration request.
and .
List of redirection URI strings for use in redirect-based flows such as the authorization code and implicit flows.
Clients using flows with redirection must register their redirection URI values.
List of the OAuth 2.0 response type strings that the client can use at the authorization endpoint.
Example: "code" or "token".
List of OAuth 2.0 grant type strings that the client can use at the token endpoint.
Example: "authorization_code", "implicit", "password", "client_credentials", "refresh_token".
Kind of the application.
The defined values are "native" or "web".
List of strings representing ways to contact people responsible for this client, typically email addresses.
The authorization server may make these contact addresses available to end-users for support requests for the client.
Human-readable string name of the client to be presented to the end-user during authorization.
Logo for the client.
If present, the server should display this image to the end-user during approval.
Web page providing information about the client.
Human-readable privacy policy document that describes how the deployment organization
collects, uses, retains, and discloses personal data.
Human-readable terms of service document for the client that describes a contractual relationship
between the end-user and the client that the end-user accepts when authorizing the client.
JWK Set document which contains the client's public keys.
Use of this parameter is preferred over the "jwks" parameter, as it allows for easier key rotation.
The and parameters MUST NOT both be present in
the same request or response.
URL using the https scheme to be used in calculating Pseudonymous Identifiers by the OpenID provider.
The URL references a file with a single JSON array of redirect_uri values.
Valid types include "pairwise" and "public".
String containing a space-separated list of scope values that the client can use when requesting access tokens.
If omitted, an authorization server may register a client with a default set of scopes.
List of post-logout redirection URIs for use in the end session
endpoint.
RP URL that will cause the RP to log itself out when rendered in an
iframe by the OP.
Boolean value specifying whether the RP requires that a sid (session ID)
query parameter be included to identify the RP session with the OP when
the frontchannel_logout_uri is used.
RP URL that will cause the RP to log itself out when sent a Logout Token
by the OP.
Boolean value specifying whether the RP requires that a sid (session ID)
Claim be included in the Logout Token to identify the RP session with
the OP when the backchannel_logout_uri is used.e
A software statement containing client metadata values about the client
software as claims. This is a string value containing the entire signed
JWT.
A unique identifier string (e.g., a ) assigned by the client developer or software
publisher used by registration endpoints to identify the client software to be dynamically registered.
The value of this field is not intended to be human readable and is usually opaque to the client and authorization server.
A version identifier string for the client software identified by .
Boolean value specifying whether authorization requests must be
protected as signed request objects and provided through either the
request or request_uri parameters.
Default maximum authentication age.
Whether the auth_time claim in the id token is required.
Default requested Authentication Context Class Reference values.
URI using the https scheme that a third party can use to initiate a
login by the relying party.
The URI must accept requests via both GET and POST. The client must
understand the login_hint and iss parameters and should support
the target_link_uri parameter.
List of request URI values that are pre-registered by the relying party for use at the OpenID provider.
Custom client metadata fields to include in the serialization.
Request for dynamic client registration
Gets or sets the token.
The token.
Gets or sets the registration request.
The registration request.
Models an OpenID Connect dynamic client registration response
Request for JSON web key set document
Models a response from a JWK endpoint
Intializes the key set
The key set
MTLS endpoint aliases
The raw JSON
ctor
Returns the token endpoint address
Returns the revocation endpoint address
Returns the device authorization endpoint address
Returns the introspection endpoint address
Specifies how parameter in the collection get replaced (or not).
Allow multiple
Replace a single parameter with the same key
Replace all parameters with same key
Models a list of request parameters
Turns anonymous type or dictionary in Parameters (mainly for backwards compatibility)
ctor
ctor
Adds a key/value to the list
The key.
The value
Replace behavior.
Get parameter value(s) based on name
Get parameter values based on name
Checks the existence of a parameter
Adds a parameter if it has a value
The key.
The value.
Allow multiple values of the same parameter.
Adds a required parameter
The key.
The value.
Allow multiple values of the same parameter.
Allow an empty value.
Merge two parameter sets
Merged parameters
Request for token using password
Gets or sets the name of the user.
The name of the user.
Gets or sets the password.
The password.
Space separated list of the requested scopes
The scope.
List of requested resources
The scope.
Models a base OAuth/OIDC request with client credentials
Initializes an the HTTP protocol request and sets the accept header to application/json
Gets or sets the endpoint address (you can also set the RequestUri instead or leave blank to use the HttpClient base address).
The address.
Gets or sets the client identifier.
The client identifier.
Gets or sets the client secret.
The client secret.
Gets or sets the client assertion.
The assertion.
Gets or sets the client credential style (post body vs authorization header).
The client credential style.
Gets or sets the basic authentication header style (classic HTTP vs OAuth 2).
The basic authentication header style.
The DPoP proof token to use on the token endpoint.
Gets or sets additional protocol parameters.
The parameters.
Clones this instance.
Clones this instance.
Applies protocol parameters to HTTP request
A protocol response
Initializes a protocol response from an HTTP response
Specific protocol response type
The HTTP response.
The initialization data.
Initializes a protocol response from an exception
The ex.
The error message.
Allows to initialize instance specific data.
The initialization data.
Gets the HTTP response.
The HTTP response.
Gets the raw protocol response (if present).
The raw.
Gets the protocol response as JSON (if present).
The json.
Gets the exception (if present).
The exception.
Gets a value indicating whether an error occurred.
true if an error occurred; otherwise, false.
Gets the type of the error.
The type of the error.
Gets or sets an explicit error message.
The type of the error.
Gets the HTTP status code - or 0 when is .
The HTTP status code.
Gets the HTTP error reason - or when is .
The HTTP error reason.
Gets the error.
The error.
Tries to get a specific value from the JSON response.
The name.
The returned DPoP nonce header.
Request for token using refresh_token
Gets or sets the refresh token.
The refresh token.
Space separated list of the requested scopes. The Scope attribute cannot be used to extend the scopes granted by the resource owner
See https://datatracker.ietf.org/doc/html/rfc6749#section-6 for further detail on restrictions
The scope.
List of requested resources
The resources.
Various reasons for a protocol endpoint error
none
protocol related - valid response, but some protocol level error.
HTTP error - e.g. 404.
An exception occurred - exception while connecting to the endpoint, e.g. TLS problems.
A policy violation - a configured policy was violated.
Request for token using urn:ietf:params:oauth:grant-type:token-exchange
OPTIONAL. A URI that indicates the target service or resource.
OPTIONAL. The logical name of the target service where the client intends to use the requested security token.
OPTIONAL. Space separated list of the requested scopes
OPTIONAL. An identifier for the type of the requested security token.
REQUIRED. A security token that represents the identity of the party on behalf of whom the request is being made.
REQUIRED. An identifier that indicates the type of the security token in the "subject_token" parameter.
OPTIONAL. A security token that represents the identity of the acting party.
An identifier that indicates the type of the security token in the "actor_token" parameter. This is REQUIRED when the "actor_token" parameter is present in the request but MUST NOT be included otherwise.
Request for OAuth token introspection
Gets or sets the token.
The token.
Gets or sets the token type hint.
The token type hint.
Models an OAuth 2.0 introspection response
Allows to initialize instance specific data.
The initialization data.
Gets a value indicating whether the token is active.
true if the token is active; otherwise, false.
Gets the claims.
The claims.
Request for token
Gets or sets the type of the grant.
The type of the grant.
Models a response from an OpenID Connect/OAuth 2 token endpoint
Gets the access token.
The access token.
Gets the identity token.
The identity token.
Gets the scope.
The scope.
Gets the issued token type.
The issued token type.
Gets the type of the token.
The type of the token.
Gets the refresh token.
The refresh token.
Gets the error description.
The error description.
Gets the expires in.
The expires in.
Request for OAuth token revocation
Gets or sets the token.
The token.
Gets or sets the token type hint.
The token type hint.
Models an OAuth 2.0 token revocation response
Request for OIDC userinfo
Gets or sets the token.
The token.
Models an OpenID Connect userinfo response
Allows to initialize instance specific data.
The initialization data.
Gets the claims.
The claims.
Helper class for creating request URLs
Initializes a new instance of the class.
The authorize endpoint.
Creates URL based on key/value input pairs.
The query string parameters.
Implementation of based on .
Constructor with argument.
String comparison between issuer and authority (trailing slash ignored).
String "starts with" comparison between endpoint and allowed authorities.
Client library for the OpenID Connect / OAuth 2 token endpoint
Initializes a new instance of the class.
The client.
The options.
client
Initializes a new instance of the class.
The client func.
The options.
client
Sets request parameters from the options.
The request.
The parameters.
Sends a token request using the client_credentials grant type.
The scope (space separated string).
Extra parameters.
The cancellation token.
Sends a token request using the urn:ietf:params:oauth:grant-type:device_code grant type.
The device code.
Extra parameters.
The cancellation token.
Sends a token request using the password grant type.
Name of the user.
The password.
The scope (space separated string).
Extra parameters.
The cancellation token.
Sends a token request using the authorization_code grant type.
The code.
The redirect URI.
The code verifier.
The parameters.
The cancellation token.
Sends a token request using the refresh_token grant type.
The refresh token.
The scope (space separated string).
Extra parameters.
The cancellation token.
Sends a token request.
Type of the grant.
Extra parameters.
The cancellation token.
A class that mimics the standard Random class in the .NET Framework - but uses a random number generator internally.
Output format for unique IDs
URL-safe Base64
Base64
Hex
Creates a random key byte array.
The length.
Creates a URL safe unique identifier.
The length.
The output format
Initializes a new instance of the class.
Initializes a new instance of the class.
seed (ignored)
Returns a nonnegative random number.
A 32-bit signed integer greater than or equal to zero and less than .
Returns a nonnegative random number less than the specified maximum.
The exclusive upper bound of the random number to be generated. must be greater than or equal to zero.
A 32-bit signed integer greater than or equal to zero, and less than ; that is, the range of return values ordinarily includes zero but not . However, if equals zero, is returned.
is less than zero.
Returns a random number within a specified range.
The inclusive lower bound of the random number returned.
The exclusive upper bound of the random number returned. must be greater than or equal to .
A 32-bit signed integer greater than or equal to and less than ; that is, the range of return values includes but not . If equals , is returned.
is greater than .
Returns a random number between 0.0 and 1.0.
A double-precision floating point number greater than or equal to 0.0, and less than 1.0.
Fills the elements of a specified array of bytes with random numbers.
An array of bytes to contain random numbers.
is null.
Extensions for converting epoch/unix time to DateTime and DateTimeOffset
Converts the given date value to epoch time.
Converts the given epoch time to a with kind.
Helpers to create ClaimsIdentity
Creates an anonymous claims identity.
The anonymous.
Creates a ClaimsIdentity using the specified authentication type and claims.
Type of the authentication.
The claims.
Creates a ClaimsIdentity based on information found in an X509 certificate.
The certificate.
Type of the authentication.
if set to true [include all claims].
Append the given query key and value to the URI.
The base URI.
The name of the query key.
The query value.
The combined result.
Append the given query keys and values to the uri.
The base uri.
A collection of name value query pairs to append.
The combined result.
Helpers to deal with tasks.
Gets or sets if this library's internal tasks can call ConfigureAwait(false).
Gets or sets if this library's internal tasks can call .
Constants for JsonWebAlgorithms "kty" Key Type (sec 6.1)
http://tools.ietf.org/html/rfc7518#section-6.1
Represents a Json Web Key as defined in http://tools.ietf.org/html/rfc7517.
Initializes an new instance of .
Initializes an new instance of from a json string.
a string that contains JSON Web Key parameters in JSON format.
Gets or sets the 'alg' (KeyType)..
Gets or sets the 'crv' (ECC - Curve)..
Gets or sets the 'd' (ECC - Private Key OR RSA - Private Exponent)..
value is formated as: Base64urlUInt
Gets or sets the 'dp' (RSA - First Factor CRT Exponent)..
value is formated as: Base64urlUInt
Gets or sets the 'dq' (RSA - Second Factor CRT Exponent)..
value is formated as: Base64urlUInt
Gets or sets the 'e' (RSA - Exponent)..
Gets or sets the 'k' (Symmetric - Key Value)..
Base64urlEncoding
Gets or sets the 'key_ops' (Key Operations)..
Gets or sets the 'kid' (Key ID)..
Gets or sets the 'kty' (Key Type)..
Gets or sets the 'n' (RSA - Modulus)..
value is formated as: Base64urlEncoding
Gets or sets the 'oth' (RSA - Other Primes Info)..
Gets or sets the 'p' (RSA - First Prime Factor)..
value is formated as: Base64urlUInt
Gets or sets the 'q' (RSA - Second Prime Factor)..
value is formated as: Base64urlUInt
Gets or sets the 'qi' (RSA - First CRT Coefficient)..
value is formated as: Base64urlUInt
Gets or sets the 'use' (Public Key Use)..
Gets or sets the 'x' (ECC - X Coordinate)..
value is formated as: Base64urlEncoding
Gets the 'x5c' collection (X.509 Certificate Chain)..
Gets or sets the 'x5t' (X.509 Certificate SHA-1 thumbprint)..
Gets or sets the 'x5t#S256' (X.509 Certificate SHA-1 thumbprint)..
Gets or sets the 'x5u' (X.509 URL)..
Gets or sets the 'y' (ECC - Y Coordinate)..
value is formated as: Base64urlEncoding
Names for Json Web Key Values
Contains a collection of that can be populated from a json string.
Initializes an new instance of .
Initializes an new instance of from a json string.
a json string containing values.
if web keys are malformed
if 'json' is null or whitespace.
A list of JSON web keys
The JSON string used to deserialize this object
Extensions for JsonWebKey
Converts a JSON web key to a URL safe string.
The key.
Commonly used claim types
Unique Identifier for the End-User at the Issuer.
End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
Given name(s) or first name(s) of the End-User. Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
Surname(s) or last name(s) of the End-User. Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
Middle name(s) of the End-User. Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
Shorthand name by which the End-User wishes to be referred to at the RP, such as janedoe or j.doe. This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The relying party MUST NOT rely upon this value being unique
The RP MUST NOT rely upon this value being unique, as discussed in http://openid.net/specs/openid-connect-basic-1_0-32.html#ClaimStability
URL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
URL of the End-User's profile picture. This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image.
Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
URL of the End-User's Web page or blog. This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
End-User's preferred e-mail address. Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. The relying party MUST NOT rely upon this value being unique
"true" if the End-User's e-mail address has been verified; otherwise "false".
When this Claim Value is "true", this means that the OP took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
End-User's gender. Values defined by this specification are "female" and "male". Other values MAY be used when neither of the defined values are applicable.
End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format. The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
String from the time zone database (https://data.iana.org/time-zones/tz-link.html) representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.
End-User's locale, represented as a BCP47 [RFC5646] language tag. This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.
End-User's preferred telephone number. E.164 (https://www.itu.int/rec/T-REC-E.164/e) is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
True if the End-User's phone number has been verified; otherwise false. When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed.
The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
End-User's preferred postal address. The value of the address member is a JSON structure containing some or all of the members defined in http://openid.net/specs/openid-connect-basic-1_0-32.html#AddressClaim
Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.
The time before which the JWT MUST NOT be accepted for processing, specified as the number of seconds from 1970-01-01T0:0:0Z
The exp (expiration time) claim identifies the expiration time on or after which the token MUST NOT be accepted for processing, specified as the number of seconds from 1970-01-01T0:0:0Z
Time the End-User's information was last updated. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
The iat (issued at) claim identifies the time at which the JWT was issued, , specified as the number of seconds from 1970-01-01T0:0:0Z
Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication.
Session identifier. This represents a Session of an OP at an RP to a User Agent or device for a logged-in End-User. Its contents are unique to the OP and opaque to the RP.
Authentication Context Class Reference. String specifying an Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied.
The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 level 1.
Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.
Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value.
(This corresponds to the OpenID 2.0 PAPE nist_auth_level 0.)
An absolute URI or an RFC 6711 registered name SHOULD be used as the acr value; registered names MUST NOT be used with a different meaning than that which is registered.
Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific.
The acr value is a case sensitive string.
Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. When a max_age request is made or when auth_time is requested as an Essential Claim, then this Claim is REQUIRED; otherwise, its inclusion is OPTIONAL.
The party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case sensitive string containing a StringOrURI value.
Access Token hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them. The at_hash value is a case sensitive string.
Code hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the code value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url encode them. The c_hash value is a case sensitive string.
State hash value. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the state value, where the hash algorithm used is the hash algorithm used in the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is HS512, hash the code value with SHA-512, then take the left-most 256 bits and base64url encode them. The c_hash value is a case sensitive string.
String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. If present in the Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token with the Claim Value being the nonce value sent in the Authentication Request. Authorization Servers SHOULD perform no other processing on nonce values used. The nonce value is a case sensitive string.
JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties; any such negotiation is beyond the scope of this specification.
Defines a set of event statements that each may add additional claims to fully describe a single logical event that has occurred.
OAuth 2.0 Client Identifier valid at the Authorization Server.
OpenID Connect requests MUST contain the "openid" scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored.
The "act" (actor) claim provides a means within a JWT to express that delegation has occurred and identify the acting party to whom authority has been delegated.The "act" claim value is a JSON object and members in the JSON object are claims that identify the actor. The claims that make up the "act" claim identify and possibly provide additional information about the actor.
The "may_act" claim makes a statement that one party is authorized to become the actor and act on behalf of another party. The claim value is a JSON object and members in the JSON object are claims that identify the party that is asserted as being eligible to act for the party identified by the JWT containing the claim.
an identifier
The identity provider
The role
The reference token identifier
The confirmation
The algorithm
JSON web key
The token type
DPoP HTTP method
DPoP HTTP URL
DPoP access token hash
Values for strongly typed JWTs
OAuth 2.0 access token
JWT secured authorization request
DPoP proof token
Values for the cnf claim
JSON web key
JSON web key thumbprint
X.509 certificate thumbprint using SHA256
REQUIRED. Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the behavior is entirely unspecified.
OPTIONAL. This scope value requests access to the End-User's default profile Claims, which are: name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, and updated_at.
OPTIONAL. This scope value requests access to the email and email_verified Claims.
OPTIONAL. This scope value requests access to the address Claim.
OPTIONAL. This scope value requests access to the phone_number and phone_number_verified Claims.
This scope value MUST NOT be used with the OpenID Connect Implicit Client Implementer's Guide 1.0. See the OpenID Connect Basic Client Implementer's Guide 1.0 (http://openid.net/specs/openid-connect-implicit-1_0.html#OpenID.Basic) for its usage in that subset of OpenID Connect.
Helper class to create ClaimsPrincipal
Gets an anoymous ClaimsPrincipal.
Creates a ClaimsPrincipal using the specified authentication type and claims.
Type of the authentication.
The claims.
Creates a ClaimsPrincipal based on information found in an X509 certificate.
The certificate.
Type of the authentication.
if set to true [include all claims].
Extensions for strings
Creates a SHA256 hash of the specified input.
The input.
A hash
Creates a SHA512 hash of the specified input.
The input.
A hash
Helper class to do equality checks without leaking timing information
Checks two strings for equality without leaking timing information.
string 1.
string 2.
true if the specified strings are equal; otherwise, false.
HTTP Basic Authentication authorization header
Initializes a new instance of the class.
Name of the user.
The password.
Encodes the credential.
Name of the user.
The password.
userName
HTTP Basic Authentication authorization header for RFC6749 client authentication
Initializes a new instance of the class.
Name of the user.
The password.
Encodes the credential.
Name of the user.
The password.
userName