Microsoft.Owin.Security.OpenIdConnect

This Notification can be used to be informed when an 'AuthorizationCode' is received over the OpenIdConnect protocol.

Creates a

Gets or sets the

Gets or sets the 'code'.

Gets or sets the that was received in the id_token + code OpenIdConnectRequest.

The request that will be sent to the token endpoint and is available for customization.

Gets or sets the .

Gets or sets the 'redirect_uri'.

This is the redirect_uri that was sent in the id_token + code OpenIdConnectRequest.

If the developer chooses to redeem the code themselves then they can provide the resulting tokens here. This is the same as calling HandleCodeRedemption. If set then the handler will not attempt to redeem the code. An IdToken is required if one had not been previously received in the authorization response.

Indicates if the developer choose to handle (or skip) the code redemption. If true then the handler will not attempt to redeem the code. See HandleCodeRedemption and TokenEndpointResponse.

Tells the handler to skip the code redemption process. The developer may have redeemed the code themselves, or decided that the redemption was not required. If tokens were retrieved that are needed for further processing then call one of the overloads that allows providing tokens. An IdToken is required if one had not been previously received in the authorization response. Calling this is the same as setting TokenEndpointResponse.

This Notification can be used to be informed when an 'AuthorizationCode' is redeemed for tokens at the token endpoint.

Creates a

Gets or sets the that contains the code redeemed for tokens at the token endpoint.

Gets or sets the that contains the tokens received after redeeming the code at the token endpoint.

code_verifier defined in https://tools.ietf.org/html/rfc7636

code_challenge defined in https://tools.ietf.org/html/rfc7636

code_challenge_method defined in https://tools.ietf.org/html/rfc7636

S256 defined in https://tools.ietf.org/html/rfc7636

Default values related to OpenIdConnect authentication middleware

The default value used for OpenIdConnectAuthenticationOptions.AuthenticationType

The prefix used to provide a default OpenIdConnectAuthenticationOptions.CookieName

The default value for OpenIdConnectAuthenticationOptions.Caption.

The prefix used to for the a nonce in the cookie

The property for the RedirectUri that was used when asking for a 'authorizationCode'

A per-request authentication handler for the OpenIdConnectAuthenticationMiddleware.

Creates a new OpenIdConnectAuthenticationHandler

Handles Signout

Handles SignIn

Invoked to process incoming authentication messages.

An if successful.

Redeems the authorization code for tokens at the token endpoint.

The request that will be sent to the token endpoint and is available for customization. OpenIdConnect message that has tokens inside it.

'Remembers' the nonce associated with this message. By default the nonce added as a secure cookie.

associated with the nonce. the nonce to remember. A cookie is added with the name obtained from .

Save the tokens contained in the in the .

The in which tokens are saved. The OpenID Connect response.

Calls InvokeReplyPathAsync

True if the request was handled, false if the next middleware should be invoked.

OWIN middleware for obtaining identities using OpenIdConnect protocol.

Initializes a

The next middleware in the OWIN pipeline to invoke The OWIN application Configuration options for the middleware

Provides the object for processing authentication-related requests.

An configured with the supplied to the constructor.

Specifies events which the invokes to enable developer control over the authentication process. />

Creates a new set of notifications. Each notification has a default no-op behavior unless otherwise documented.

Invoked if exceptions are thrown during request processing. The exceptions will be re-thrown after this event unless suppressed.

Invoked after security token validation if an authorization code is present in the protocol message.

Invoked when a protocol message is first received.

Invoked to manipulate redirects to the identity provider for SignIn, SignOut, or Challenge.

Invoked with the security token that has been extracted from the protocol message.

Invoked after the security token has passed validation and a ClaimsIdentity has been generated. Note there are additional checks after this event that validate other aspects of the authentication flow like the nonce.

Invoked after "authorization code" is redeemed for tokens at the token endpoint.

Configuration options for

Initializes a new

Defaults: AddNonceToRequest: true. AuthenticationMode: . BackchannelTimeout: 1 minute. Caption: . ProtocolValidator: new . RefreshOnIssuerKeyNotFound: true ResponseMode: ResponseType: Scope: . TokenValidationParameters: new with AuthenticationType = authenticationType. UseTokenLifetime: true. RedeemCode: false. UsePkce: true. will be used to when creating the for the AuthenticationType property.

Gets or sets the Authority to use when making OpenIdConnect calls.

An optional constrained path on which to process the authentication callback. If not provided and RedirectUri is available, this value will be generated from RedirectUri.

If you set this value, then the will only listen for posts at this address. If the IdentityProvider does not post to this address, you may end up in a 401 -> IdentityProvider -> Client -> 401 -> ...

Gets or sets the a pinned certificate validator to use to validate the endpoints used when retrieving metadata.

The pinned certificate validator. If this property is null then the default certificate checks are performed, validating the subject name and if the signing chain is a trusted party.

The HttpMessageHandler used to retrieve metadata. This cannot be set at the same time as BackchannelCertificateValidator unless the value is a WebRequestHandler.

Gets or sets the timeout when using the backchannel to make an http call.

Used to communicate with the remote identity provider.

Get or sets the text that the user can display on a sign in user interface.

Gets or sets the 'client_id'.

Gets or sets the 'client_secret'.

Configuration provided directly by the developer. If provided, then MetadataAddress and the Backchannel properties will not be used. This information should not be updated during request processing.

Gets or sets if HTTPS is required for the metadata address or authority. The default is true. This should be disabled only in development environments.

Gets or sets the discovery endpoint for obtaining metadata

Responsible for retrieving, caching, and refreshing the configuration from metadata. If not provided, then one will be created using the MetadataAddress and Backchannel properties.

Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic recovery in the event of a signature key rollover. This is enabled by default.

Gets or sets the to notify when processing OpenIdConnect messages.

Gets or sets the that is used ensure the 'id_token' received is valid per: http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

if 'value' is null.

Gets or sets the 'post_logout_redirect_uri'

This is sent to the OP as the redirect for the user-agent.

Gets or sets the 'redirect_uri'.

Gets or sets the 'resource'.

Gets or sets the 'response_mode'.

Gets or sets the 'response_type'.

Gets or sets the 'scope'.

Gets or sets the AuthenticationType used when creating the .

Gets or sets the type used to secure data handled by the middleware.

Gets or sets the used to validate identity tokens.

Gets or sets the TokenValidationParameters

Contains the types and definitions required for validating a token.

Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. If the token does not provide lifetime information then normal session lifetimes will be used. This is enabled by default.

Defines whether access and refresh tokens should be stored in the after a successful authorization. This property is set to false by default to reduce the size of the final authentication cookie.

An abstraction for reading and setting cookies during the authentication process.

When set to true the authorization code will be redeemed for tokens at the token endpoint. This property is set to false by default.

Enables or disables the use of the Proof Key for Code Exchange (PKCE) standard. This only applies when the is set to . See https://tools.ietf.org/html/rfc7636. The default value is `true`.

A strongly-typed resource class, for looking up localized strings, etc.

Returns the cached ResourceManager instance used by this class.

Overrides the current thread's CurrentUICulture property for all resource lookups using this strongly typed resource class.

Looks up a localized string similar to BackchannelTimeout cannot be less or equal to TimeSpan.Zero..

Looks up a localized string similar to "OpenIdConnectMessage.Error was not null, indicating an error. Error: '{0}'. Error_Description (may be empty): '{1}'. Error_Uri (may be empty): '{2}'.".

Looks up a localized string similar to OIDC_20001: The query string for Logout is not a well formed URI. The runtime cannot redirect. Redirect uri: '{0}'..

Looks up a localized string similar to An ICertificateValidator cannot be specified at the same time as an HttpMessageHandler unless it is a WebRequestHandler..

Looks up a localized string similar to Unable to validate the 'id_token', no suitable ISecurityTokenValidator was found for: '{0}'.".

Looks up a localized string similar to The Validated Security Token must be of type JwtSecurityToken, but instead its type is: '{0}'..

Extension methods for using

Adds the into the OWIN runtime.

The passed to the configuration method The application identifier. The discovery endpoint for obtaining metadata. The updated

Adds the into the OWIN runtime.

The passed to the configuration method A contains settings for obtaining identities using the OpenIdConnect protocol. The updated