/*
* Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
* See https://github.com/openiddict/openiddict-core for more information concerning
* the license and the contributors participating to this project.
*/
using System.ComponentModel;
using System.Security.Claims;
using System.Security.Cryptography.X509Certificates;
namespace OpenIddict.Client;
///
/// Exposes various records used to represent client requests and responses.
///
public static class OpenIddictClientModels
{
///
/// Represents an interactive authentication request.
///
public sealed record class InteractiveAuthenticationRequest
{
///
/// Gets or sets the parameters that will be added to the token request, if applicable.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the nonce that was returned during the challenge or sign-out operation.
///
public required string Nonce { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the X.509 client certificate used to bind the access and/or
/// refresh tokens issued by the authorization server, if applicable.
///
///
///
/// Note: when mTLs is also used for OAuth 2.0 client authentication, the
/// certificate set here replaces the client certificate chosen by OpenIddict.
///
///
/// Note: if a certificate-based client authentication or token binding method is
/// negotiated, the type of the certificate must match the negotiated methods.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public X509Certificate2? TokenBindingCertificate { get; init; }
}
///
/// Represents an interactive authentication result.
///
public sealed record class InteractiveAuthenticationResult
{
///
/// Gets or sets the authorization code, if available.
///
public required string? AuthorizationCode { get; init; }
///
/// Gets or sets the authorization response.
///
public required OpenIddictResponse AuthorizationResponse { get; init; }
///
/// Gets or sets the backchannel access token, if available.
///
public required string? BackchannelAccessToken { get; init; }
///
/// Gets or sets the expiration date of the backchannel access token, if available.
///
public required DateTimeOffset? BackchannelAccessTokenExpirationDate { get; init; }
///
/// Gets or sets the backchannel identity token, if available.
///
public required string? BackchannelIdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the backchannel identity token, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? BackchannelIdentityTokenPrincipal { get; init; }
///
/// Gets or sets the frontchannel access token, if available.
///
public required string? FrontchannelAccessToken { get; init; }
///
/// Gets or sets the expiration date of the frontchannel access token, if available.
///
public required DateTimeOffset? FrontchannelAccessTokenExpirationDate { get; init; }
///
/// Gets or sets the frontchannel identity token, if available.
///
public required string? FrontchannelIdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the frontchannel identity token, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? FrontchannelIdentityTokenPrincipal { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the principal extracted from the state token, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? StateTokenPrincipal { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
///
/// Gets or sets the principal extracted from the userinfo token or response, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? UserInfoTokenPrincipal { get; init; }
}
///
/// Represents an interactive challenge request.
///
public sealed record class InteractiveChallengeRequest
{
///
/// Gets or sets the parameters that will be added to the authorization request.
///
public Dictionary? AdditionalAuthorizationRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the code challenge method that will be used for the authorization request.
///
///
/// Note: setting this property is generally not recommended, as OpenIddict automatically
/// negotiates the best code challenge method supported by both the client and the server.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public string? CodeChallengeMethod { get; init; }
///
/// Gets or sets the grant type that will be used for the authorization request.
/// If this property is set to a non-null value, the
/// property must also be explicitly set to a non-null value.
///
///
/// Note: setting this property is generally not recommended, as OpenIddict automatically
/// negotiates the best grant type supported by both the client and the server.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public string? GrantType { get; init; }
///
/// Gets or sets the optional identity token hint that will
/// be sent to the authorization server, if applicable.
///
public string? IdentityTokenHint { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the optional login hint that will be sent to the authorization server, if applicable.
///
public string? LoginHint { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets or sets the response mode that will be used for the authorization request.
///
///
/// Note: setting this property is generally not recommended, as OpenIddict automatically
/// negotiates the best response mode supported by both the client and the server.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public string? ResponseMode { get; init; }
///
/// Gets or sets the response type that will be used for the authorization request.
/// If this property is set to a non-null value, the
/// property must also be explicitly set to a non-null value.
///
///
/// Note: setting this property is generally not recommended, as OpenIddict automatically
/// negotiates the best response type supported by both the client and the server.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public string? ResponseType { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
}
///
/// Represents an interactive challenge result.
///
public sealed record class InteractiveChallengeResult
{
///
/// Gets or sets the nonce that is used as a unique identifier for the challenge operation.
///
public required string Nonce { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
}
///
/// Represents an interactive sign-out request.
///
public sealed record class InteractiveSignOutRequest
{
///
/// Gets or sets the parameters that will be added to the end session request.
///
public Dictionary? AdditionalEndSessionRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the optional identity token hint that will
/// be sent to the authorization server, if applicable.
///
public string? IdentityTokenHint { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the optional login hint that will be sent to the authorization server, if applicable.
///
public string? LoginHint { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
}
///
/// Represents an interactive sign-out result.
///
public sealed record class InteractiveSignOutResult
{
///
/// Gets or sets the nonce that is used as a unique identifier for the sign-out operation.
///
public required string Nonce { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
}
///
/// Represents a client credentials authentication request.
///
public sealed record class ClientCredentialsAuthenticationRequest
{
///
/// Gets or sets the parameters that will be added to the token request.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
}
///
/// Represents a client credentials authentication result.
///
public sealed record class ClientCredentialsAuthenticationResult
{
///
/// Gets or sets the access token.
///
public required string AccessToken { get; init; }
///
/// Gets or sets the expiration date of the access token, if available.
///
public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
///
/// Gets or sets the identity token, if available.
///
///
/// Note: this property is generally not set, unless when dealing with an identity
/// provider that returns an identity token for the client credentials grant.
///
public required string? IdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the identity token, if available.
///
///
/// Note: this property is generally not set, unless when dealing with an identity
/// provider that returns an identity token for the client credentials grant.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? IdentityTokenPrincipal { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
///
/// Note: in most cases, an empty principal will be returned, unless the authorization server
/// supports returning a non-standard identity token for the client credentials grant.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
///
/// Gets or sets the userinfo token, if available.
///
///
/// Note: this property is generally not set, unless when dealing with non-standard providers.
///
public required string? UserInfoToken { get; init; }
///
/// Gets or sets the principal extracted from the userinfo token or response, if available.
///
///
/// Note: this property is generally not set, unless when dealing with non-standard providers.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? UserInfoTokenPrincipal { get; init; }
}
///
/// Represents a custom grant authentication request.
///
public sealed record class CustomGrantAuthenticationRequest
{
///
/// Gets or sets the parameters that will be added to the token request.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets a boolean indicating whether userinfo should be disabled.
///
public bool DisableUserInfo { get; init; }
///
/// Gets or sets the custom grant type that will be used for the authentication request.
///
public required string GrantType { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
///
/// Gets or sets the X.509 client certificate used to bind the access and/or
/// refresh tokens issued by the authorization server, if applicable.
///
///
///
/// Note: when mTLs is also used for OAuth 2.0 client authentication, the
/// certificate set here replaces the client certificate chosen by OpenIddict.
///
///
/// Note: if a certificate-based client authentication or token binding method is
/// negotiated, the type of the certificate must match the negotiated methods.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public X509Certificate2? TokenBindingCertificate { get; init; }
}
///
/// Represents a custom grant authentication result.
///
public sealed record class CustomGrantAuthenticationResult
{
///
/// Gets or sets the access token.
///
public required string AccessToken { get; init; }
///
/// Gets or sets the expiration date of the access token, if available.
///
public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
///
/// Gets or sets the identity token, if available.
///
public required string? IdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the identity token, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? IdentityTokenPrincipal { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
///
/// Gets or sets the userinfo token, if available.
///
public required string? UserInfoToken { get; init; }
///
/// Gets or sets the principal extracted from the userinfo token or response, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? UserInfoTokenPrincipal { get; init; }
}
///
/// Represents a device authentication request.
///
public sealed record class DeviceAuthenticationRequest
{
///
/// Gets or sets the parameters that will be added to the token request.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the device code that will be sent to the authorization server.
///
public required string DeviceCode { get; init; }
///
/// Gets or sets a boolean indicating whether userinfo should be disabled.
///
public bool DisableUserInfo { get; init; }
///
/// Gets or sets the maximum duration during which token requests will be sent
/// (typically, the same value as the "expires_in" parameter returned by the
/// authorization server during the challenge phase or a lower value).
///
public required TimeSpan Timeout { get; init; }
///
/// Gets or sets the interval at which token requests will be sent (typically, the same
/// value as the one returned by the authorization server during the challenge phase).
///
public required TimeSpan Interval { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
///
/// Gets or sets the X.509 client certificate used to bind the access and/or
/// refresh tokens issued by the authorization server, if applicable.
///
///
///
/// Note: when mTLs is also used for OAuth 2.0 client authentication, the
/// certificate set here replaces the client certificate chosen by OpenIddict.
///
///
/// Note: if a certificate-based client authentication or token binding method is
/// negotiated, the type of the certificate must match the negotiated methods.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public X509Certificate2? TokenBindingCertificate { get; init; }
}
///
/// Represents a device authentication result.
///
public sealed record class DeviceAuthenticationResult
{
///
/// Gets or sets the access token.
///
public required string AccessToken { get; init; }
///
/// Gets or sets the expiration date of the access token, if available.
///
public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
///
/// Gets or sets the identity token, if available.
///
public required string? IdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the identity token, if available.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? IdentityTokenPrincipal { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
///
/// Gets or sets the userinfo token, if available.
///
public required string? UserInfoToken { get; init; }
///
/// Gets or sets the principal extracted from the userinfo token or response, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? UserInfoTokenPrincipal { get; init; }
}
///
/// Represents a device challenge request.
///
public sealed record class DeviceChallengeRequest
{
///
/// Gets or sets the parameters that will be added to the device authorization request.
///
public Dictionary? AdditionalDeviceAuthorizationRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
}
///
/// Represents a device challenge result.
///
public sealed record class DeviceChallengeResult
{
///
/// Gets or sets the device authorization response.
///
public required OpenIddictResponse DeviceAuthorizationResponse { get; init; }
///
/// Gets or sets the device code.
///
public required string DeviceCode { get; init; }
///
/// Gets or sets the remaining lifetime of the device and user codes.
///
public required TimeSpan ExpiresIn { get; init; }
///
/// Gets or sets the interval at which token requests should be sent.
///
public required TimeSpan Interval { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the user code.
///
public required string UserCode { get; init; }
///
/// Gets or sets the verification URI.
///
public required Uri VerificationUri { get; init; }
///
/// Gets or sets the complete verification URI, if available.
///
public Uri? VerificationUriComplete { get; init; }
}
///
/// Represents an introspection request.
///
public sealed record class IntrospectionRequest
{
///
/// Gets or sets the parameters that will be added to the introspection request.
///
public Dictionary? AdditionalIntrospectionRequestParameters { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the token that will be sent to the authorization server.
///
public required string Token { get; init; }
///
/// Gets the token type hint that will be sent to the authorization server.
///
public string? TokenTypeHint { get; init; }
}
///
/// Represents an introspection result.
///
public sealed record class IntrospectionResult
{
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
///
/// Note: in most cases, an empty principal will be returned, unless the authorization server
/// supports returning a non-standard identity token for the client credentials grant.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the introspection response.
///
public required OpenIddictResponse IntrospectionResponse { get; init; }
}
///
/// Represents a resource owner password credentials authentication request.
///
public sealed record class PasswordAuthenticationRequest
{
///
/// Gets or sets the parameters that will be added to the token request.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets a boolean indicating whether userinfo should be disabled.
///
public bool DisableUserInfo { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the password that will be sent to the authorization server.
///
public required string Password { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
///
/// Gets or sets the username that will be sent to the authorization server.
///
public required string Username { get; init; }
///
/// Gets or sets the X.509 client certificate used to bind the access and/or
/// refresh tokens issued by the authorization server, if applicable.
///
///
///
/// Note: when mTLs is also used for OAuth 2.0 client authentication, the
/// certificate set here replaces the client certificate chosen by OpenIddict.
///
///
/// Note: if a certificate-based client authentication or token binding method is
/// negotiated, the type of the certificate must match the negotiated methods.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public X509Certificate2? TokenBindingCertificate { get; init; }
}
///
/// Represents a resource owner password credentials authentication result.
///
public sealed record class PasswordAuthenticationResult
{
///
/// Gets or sets the access token.
///
public required string AccessToken { get; init; }
///
/// Gets or sets the expiration date of the access token, if available.
///
public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
///
/// Gets or sets the identity token, if available.
///
public required string? IdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the identity token, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? IdentityTokenPrincipal { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
///
/// Gets or sets the userinfo token, if available.
///
public required string? UserInfoToken { get; init; }
///
/// Gets or sets the principal extracted from the userinfo token or response, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? UserInfoTokenPrincipal { get; init; }
}
///
/// Represents a refresh token authentication request.
///
public sealed record class RefreshTokenAuthenticationRequest
{
///
/// Gets or sets the parameters that will be added to the token request.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets a boolean indicating whether userinfo should be disabled, which may be required
/// when sending a refresh token that was acquired using a user-less flow (e.g client credentials).
///
public bool DisableUserInfo { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
///
/// Gets or sets the refresh token that will be sent to the authorization server.
///
public required string RefreshToken { get; init; }
///
/// Gets or sets the X.509 client certificate used to bind the access and/or
/// refresh tokens issued by the authorization server, if applicable.
///
///
///
/// Note: when mTLs is also used for OAuth 2.0 client authentication, the
/// certificate set here replaces the client certificate chosen by OpenIddict.
///
///
/// Note: if a certificate-based client authentication or token binding method is
/// negotiated, the type of the certificate must match the negotiated methods.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public X509Certificate2? TokenBindingCertificate { get; init; }
}
///
/// Represents a refresh token authentication result.
///
public sealed record class RefreshTokenAuthenticationResult
{
///
/// Gets or sets the access token.
///
public required string AccessToken { get; init; }
///
/// Gets or sets the expiration date of the access token, if available.
///
public required DateTimeOffset? AccessTokenExpirationDate { get; init; }
///
/// Gets or sets the identity token, if available.
///
public required string? IdentityToken { get; init; }
///
/// Gets or sets the principal extracted from the identity token, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? IdentityTokenPrincipal { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
///
/// Gets or sets the userinfo token, if available.
///
public required string? UserInfoToken { get; init; }
///
/// Gets or sets the principal extracted from the userinfo token or response, if available.
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public required ClaimsPrincipal? UserInfoTokenPrincipal { get; init; }
}
///
/// Represents a token exchange authentication request.
///
public sealed record class TokenExchangeAuthenticationRequest
{
///
/// Gets or sets the actor token that will be sent to the authorization server, if applicable.
///
public string? ActorToken { get; init; }
///
/// Gets or sets the type of the actor token, if applicable.
///
public string? ActorTokenType { get; init; }
///
/// Gets the audiences that will be sent to the authorization server.
///
public List? Audiences { get; init; }
///
/// Gets or sets the parameters that will be added to the token request.
///
public Dictionary? AdditionalTokenRequestParameters { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets a boolean indicating whether userinfo should be disabled, which may be
/// required when receiving an access token that cannot be used with the userinfo endpoint.
///
///
/// Note: by default, a userinfo request is only sent when an access token is returned by the server.
///
public bool DisableUserInfo { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets or sets the type of the requested token, if applicable.
///
public string? RequestedTokenType { get; init; }
///
/// Gets the resources that will be sent to the authorization server.
///
public List? Resources { get; init; }
///
/// Gets the scopes that will be sent to the authorization server.
///
public List? Scopes { get; init; }
///
/// Gets or sets the subject token that will be sent to the authorization server.
///
public required string SubjectToken { get; init; }
///
/// Gets or sets the type of the subject token.
///
public required string SubjectTokenType { get; init; }
///
/// Gets or sets the X.509 client certificate used to bind the access and/or
/// refresh tokens issued by the authorization server, if applicable.
///
///
///
/// Note: when mTLs is also used for OAuth 2.0 client authentication, the
/// certificate set here replaces the client certificate chosen by OpenIddict.
///
///
/// Note: if a certificate-based client authentication or token binding method is
/// negotiated, the type of the certificate must match the negotiated methods.
///
///
[EditorBrowsable(EditorBrowsableState.Advanced)]
public X509Certificate2? TokenBindingCertificate { get; init; }
}
///
/// Represents a token exchange authentication result.
///
public sealed record class TokenExchangeAuthenticationResult
{
///
/// Gets or sets the issued token.
///
public required string IssuedToken { get; init; }
///
/// Gets or sets the expiration date of the issued token, if available.
///
public required DateTimeOffset? IssuedTokenExpirationDate { get; init; }
///
/// Gets or sets the type of the issued token.
///
public required string IssuedTokenType { get; init; }
///
/// Gets or sets a merged principal containing all the claims
/// extracted from the identity token and userinfo token principals.
///
public required ClaimsPrincipal Principal { get; init; }
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the refresh token, if available.
///
public required string? RefreshToken { get; init; }
///
/// Gets or sets the token response.
///
public required OpenIddictResponse TokenResponse { get; init; }
}
///
/// Represents an revocation request.
///
public sealed record class RevocationRequest
{
///
/// Gets or sets the parameters that will be added to the revocation request.
///
public Dictionary? AdditionalRevocationRequestParameters { get; init; }
///
/// Gets or sets the cancellation token that will be
/// used to determine if the operation was aborted.
///
public CancellationToken CancellationToken { get; init; }
///
/// Gets or sets the application-specific properties that will be added to the context.
///
public Dictionary? Properties { get; init; }
///
/// Gets or sets the provider name used to resolve the client registration.
///
///
/// Note: if multiple client registrations use the same provider name.
/// the property must be explicitly set.
///
public string? ProviderName { get; init; }
///
/// Gets or sets the unique identifier of the client registration that will be used.
///
public string? RegistrationId { get; init; }
///
/// Gets the token that will be sent to the authorization server.
///
public required string Token { get; init; }
///
/// Gets the token type hint that will be sent to the authorization server.
///
public string? TokenTypeHint { get; init; }
///
/// Gets or sets the issuer used to resolve the client registration.
///
///
/// Note: if multiple client registrations point to the same issuer,
/// the property must be explicitly set.
///
public Uri? Issuer { get; init; }
}
///
/// Represents an revocation result.
///
public sealed record class RevocationResult
{
///
/// Gets or sets the application-specific properties that were present in the context.
///
public required Dictionary Properties { get; init; }
///
/// Gets or sets the revocation response.
///
public required OpenIddictResponse RevocationResponse { get; init; }
}
}