/* * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0) * See https://github.com/openiddict/openiddict-core for more information concerning * the license and the contributors participating to this project. */ using System.Diagnostics; using System.Security.Claims; using Microsoft.IdentityModel.Protocols; using Microsoft.IdentityModel.Tokens; namespace OpenIddict.Client; ///

/// Contains the properties used to configure a client/server link. ///

[DebuggerDisplay("{Issuer,nq}")] public sealed class OpenIddictClientRegistration { ///

/// Gets or sets the unique identifier assigned to the registration. ///

public string? RegistrationId { get; set; } ///

/// Gets or sets the client identifier assigned by the authorization server. ///

public string? ClientId { get; set; } ///

/// Gets or sets the client secret assigned by the authorization server, if applicable. ///

/// /// Note: client authentication based on shared secrets is not recommended and should /// only be used for backward compatibility with legacy applications that only support /// client secrets. When possible, consider using public/private key pairs or TLS client /// certificates instead, as these client authentication methods are significantly safer. /// public string? ClientSecret { get; set; } ///

/// Gets or sets a boolean indicating whether pushed authorization requests are disabled. /// When pushed authorization requests are disabled, PAR is not used by the OpenIddict client, /// even if the remote authorization server exposes a pushed authorization endpoint. If the /// authorization server requires using PAR but this property is set to , /// an exception is automatically thrown when starting an interactive authentication challenge. ///

public bool DisablePushedAuthorizationRequests { get; set; } ///

/// Gets or sets the URI of the redirection endpoint that will handle the callback. ///

/// /// Note: this value is automatically added to /// . /// public Uri? RedirectUri { get; set; } ///

/// Gets or sets the URI of the post-logout redirection endpoint that will handle the callback. ///

/// /// Note: this value is automatically added to /// . /// public Uri? PostLogoutRedirectUri { get; set; } ///

/// Gets the list of encryption credentials used to create tokens for this client. /// Multiple credentials can be added to support key rollover, but if X.509 keys /// are used, at least one of them must have a valid creation/expiration date. ///

public List EncryptionCredentials { get; } = []; ///

/// Gets the list of signing credentials used to create tokens for this client. /// Multiple credentials can be added to support key rollover, but if X.509 keys /// are used, at least one of them must have a valid creation/expiration date. ///

public List SigningCredentials { get; } = []; ///

/// Gets the client authentication methods allowed by the client instance. /// If no value is explicitly set, all the methods enabled in the client options can be used. ///

/// /// The final client authentication method used in backchannel requests is chosen by OpenIddict based /// on the client options, the server configuration and the values registered in this property. /// public HashSet ClientAuthenticationMethods { get; } = new(StringComparer.Ordinal); ///

/// Gets or sets the type of the client. If no value is explicitly set, the client is assumed to be /// "confidential" if a client secret or a signing key/certificate was assigned ("public" otherwise). ///

public string? ClientType { get; set; } ///

/// Gets the code challenge methods allowed by the client instance. /// If no value is explicitly set, all the methods enabled in the client options can be used. ///

/// /// The final code challenge method used in authorization requests is chosen by OpenIddict based /// on the client options, the server configuration and the values registered in this property. /// public HashSet CodeChallengeMethods { get; } = new(StringComparer.Ordinal); ///

/// Gets the grant types allowed by the client instance. /// If no value is explicitly set, all the modes enabled in the client options can be used. ///

/// /// The final grant type used in authorization requests is chosen by OpenIddict based on /// the client options, the server configuration and the values registered in this property. /// public HashSet GrantTypes { get; } = new(StringComparer.Ordinal); ///

/// Gets the response modes allowed by the client instance. /// If no value is explicitly set, all the modes enabled in the client options can be used. ///

/// /// The final response method used in authorization requests is chosen by OpenIddict based on /// the client options, the server configuration and the values registered in this property. /// public HashSet ResponseModes { get; } = new(StringComparer.Ordinal); ///

/// Gets the response type combinations allowed by the client instance. /// If no value is explicitly set, all the types enabled in the client options can be used. ///

/// /// The final response type used in authorization requests is chosen by OpenIddict based on /// the client options, the server configuration and the values registered in this property. /// public HashSet ResponseTypes { get; } = new(StringComparer.Ordinal); ///

/// Gets the token binding methods allowed by the client instance. /// If no value is explicitly set, all the methods enabled in the client options can be used. ///

/// /// The final token binding method used in backchannel requests is chosen by OpenIddict based /// on the client options, the server configuration and the values registered in this property. /// public HashSet TokenBindingMethods { get; } = new(StringComparer.Ordinal); ///

/// Gets or sets the issuer that will be attached to the /// instances created by the OpenIddict client stack for this registration. ///

/// /// Note: if this property is not explicitly set, the provider name (if set) /// or the issuer URI are automatically used as a fallback value. /// public string? ClaimsIssuer { get; set; } ///

/// Gets or sets the URI of the authorization server. ///

public Uri? Issuer { get; set; } ///

/// Gets or sets the provider display name. ///

public string? ProviderDisplayName { get; set; } ///

/// Gets or sets the provider name. ///

/// /// The provider name can be safely used as a stable public identifier. /// public string? ProviderName { get; set; } ///

/// Gets or sets the provider settings, if applicable. ///

public dynamic? ProviderSettings { get; set; } ///

/// Gets or sets the provider type, if applicable. ///

/// /// Note: when manually set, the specified value MUST match the type of an existing /// provider supported by the OpenIddict.Client.WebIntegration companion package. /// public string? ProviderType { get; set; } ///

/// Gets or sets the static server configuration, if applicable. ///

public OpenIddictConfiguration? Configuration { get; set; } ///

/// Gets or sets the configuration manager used to retrieve and cache the server configuration. ///

public IConfigurationManager? ConfigurationManager { get; set; } ///

/// Gets or sets the URI of the configuration endpoint exposed by the server. /// When the URI is relative, must be set and absolute. ///

public Uri? ConfigurationEndpoint { get; set; } ///

/// Gets or sets the token validation parameters associated with the authorization server. ///

public TokenValidationParameters TokenValidationParameters { get; } = new TokenValidationParameters { AuthenticationType = TokenValidationParameters.DefaultAuthenticationType, ClockSkew = TimeSpan.Zero, NameClaimType = Claims.Name, RoleClaimType = Claims.Role, TypeValidator = static (type, token, parameters) => { // Assume that tokens that don't have an explicit "typ" header attached are generic JSON Web Tokens. if (string.IsNullOrEmpty(type)) { type = JsonWebTokenTypes.GenericJsonWebToken; } // Note: unlike IdentityModel, this custom validator deliberately uses case-insensitive comparisons. if (parameters.ValidTypes is not null && parameters.ValidTypes.Any() && !parameters.ValidTypes.Contains(type, StringComparer.OrdinalIgnoreCase)) { throw new SecurityTokenInvalidTypeException(SR.GetResourceString(SR.ID0271)) { InvalidType = type }; } return type; }, // Note: audience and lifetime are manually validated by OpenIddict itself. ValidateAudience = false, ValidateLifetime = false }; ///

/// Gets the list of scopes sent by default as part of /// authorization requests and device authorization requests. ///

public HashSet Scopes { get; } = new(StringComparer.Ordinal); ///

/// Gets the bag used to store additional provider-specific properties. ///

public Dictionary Properties { get; } = new(StringComparer.OrdinalIgnoreCase); }