Class OpenIddictServerOptions
Provides various settings needed to configure the OpenIddict server handler.
Inheritance
Inherited Members
Namespace: OpenIddict.Server
Assembly: cs.temp.dll.dll
Syntax
public class OpenIddictServerOptionsProperties
AcceptAnonymousClients
Gets or sets a boolean determining whether client identification is optional. Enabling this option allows client applications to communicate with the token, introspection and revocation endpoints without having to send their client identifier.
Declaration
public bool AcceptAnonymousClients { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
AccessTokenLifetime
Gets or sets the period of time access tokens remain valid after being issued. The default value is 1 hour.
The client application is expected to refresh or acquire a new access token after the token has expired.
While not recommended, this property can be set to null to issue access tokens that never expire.
Declaration
public TimeSpan? AccessTokenLifetime { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
AuthorizationCodeLifetime
Gets or sets the period of time authorization codes remain valid after being issued. The default value is 5 minutes.
While not recommended, this property can be set to null to issue codes that never expire.
Declaration
public TimeSpan? AuthorizationCodeLifetime { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
AuthorizationEndpointUris
Gets the absolute and relative URIs associated to the authorization endpoint.
Declaration
public List<Uri> AuthorizationEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
Claims
Gets the OAuth 2.0/OpenID Connect claims supported by this application.
Declaration
public HashSet<string> Claims { get; }Property Value
| Type | Description |
|---|---|
| HashSet<System.String> |
CodeChallengeMethods
Gets the OAuth 2.0 code challenge methods enabled for this application. By default, only the S256 method is allowed (if the code flow is enabled).
Declaration
public HashSet<string> CodeChallengeMethods { get; }Property Value
| Type | Description |
|---|---|
| HashSet<System.String> |
ConfigurationEndpointUris
Gets the absolute and relative URIs associated to the configuration endpoint.
Declaration
public List<Uri> ConfigurationEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
CryptographyEndpointUris
Gets the absolute and relative URIs associated to the cryptography endpoint.
Declaration
public List<Uri> CryptographyEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
DeviceCodeLifetime
Gets or sets the period of time device codes remain valid after being issued. The default value is 10 minutes.
The client application is expected to start a whole new authentication flow after the device code has expired.
While not recommended, this property can be set to null to issue codes that never expire.
Note: the same value should be chosen for both UserCodeLifetime and this property.
Declaration
public TimeSpan? DeviceCodeLifetime { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
DeviceEndpointUris
Gets the absolute and relative URIs associated to the device endpoint.
Declaration
public List<Uri> DeviceEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
DisableAccessTokenEncryption
Gets or sets a boolean indicating whether access token encryption should be disabled. Disabling encryption is NOT recommended and SHOULD only be done when issuing tokens to third-party resource servers/APIs you don't control and don't fully trust. Note: disabling encryption has no effect when using ASP.NET Core Data Protection.
Declaration
public bool DisableAccessTokenEncryption { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
DisableAuthorizationStorage
Gets or sets a boolean indicating whether authorization storage should be disabled. When disabled, ad-hoc authorizations are not created when an authorization code or refresh token is issued and can't be revoked to prevent associated tokens from being used.
Declaration
public bool DisableAuthorizationStorage { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
DisableRollingRefreshTokens
Gets or sets a boolean indicating whether rolling tokens are disabled. When disabled, refresh tokens used in a token request are not marked as redeemed and can still be used until they expire. Disabling rolling refresh tokens is NOT recommended, for security reasons.
Declaration
public bool DisableRollingRefreshTokens { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
DisableScopeValidation
Gets or sets a boolean indicating whether scope validation is disabled.
Declaration
public bool DisableScopeValidation { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
DisableSlidingRefreshTokenExpiration
Gets or sets a boolean indicating whether sliding expiration is disabled for refresh tokens. When this option is set to true, refresh tokens are issued with a fixed expiration date: when they expire, a complete authorization flow must be started to retrieve a new refresh token.
Declaration
public bool DisableSlidingRefreshTokenExpiration { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
DisableTokenStorage
Gets or sets a boolean indicating whether token storage should be disabled. When disabled, no database entry is created for the tokens and codes returned by OpenIddict. Using this option is generally NOT recommended as it prevents the tokens and codes from being revoked (if needed).
Declaration
public bool DisableTokenStorage { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
EnableDegradedMode
Gets or sets a boolean indicating whether the degraded mode is enabled. When this degraded mode is enabled, all the security checks that depend on the OpenIddict core managers are disabled. This option MUST be enabled with extreme caution and custom handlers MUST be registered to properly validate OpenID Connect requests.
Declaration
public bool EnableDegradedMode { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
EncryptionCredentials
Gets the list of encryption credentials used by the OpenIddict server services. Multiple credentials can be added to support key rollover, but if X.509 keys are used, at least one of them must have a valid creation/expiration date. Note: the encryption credentials are not used to protect/unprotect tokens issued by ASP.NET Core Data Protection, that uses its own key ring, configured separately.
Declaration
public List<EncryptingCredentials> EncryptionCredentials { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<EncryptingCredentials> |
Remarks
Note: OpenIddict automatically sorts the credentials based on the following algorithm:
- Symmetric keys are always preferred when they can be used for the operation (e.g token encryption).
- X.509 keys are always preferred to non-X.509 asymmetric keys.
- X.509 keys with the furthest expiration date are preferred.
- X.509 keys whose backing certificate is not yet valid are never preferred.
GrantTypes
Gets the OAuth 2.0/OpenID Connect flows enabled for this application.
Declaration
public HashSet<string> GrantTypes { get; }Property Value
| Type | Description |
|---|---|
| HashSet<System.String> |
Handlers
Gets the list of the handlers responsible of processing the OpenIddict server operations. Note: the list is automatically sorted based on the order assigned to each handler descriptor. As such, it MUST NOT be mutated after options initialization to preserve the exact order.
Declaration
public List<OpenIddictServerHandlerDescriptor> Handlers { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<OpenIddictServerHandlerDescriptor> |
IdentityTokenLifetime
Gets or sets the period of time identity tokens remain valid after being issued. The default value is 20 minutes.
The client application is expected to refresh or acquire a new identity token after the token has expired.
While not recommended, this property can be set to null to issue identity tokens that never expire.
Declaration
public TimeSpan? IdentityTokenLifetime { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
IgnoreEndpointPermissions
Gets or sets a boolean indicating whether endpoint permissions should be ignored. Setting this property to true is NOT recommended.
Declaration
public bool IgnoreEndpointPermissions { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
IgnoreGrantTypePermissions
Gets or sets a boolean indicating whether grant type permissions should be ignored. Setting this property to true is NOT recommended.
Declaration
public bool IgnoreGrantTypePermissions { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
IgnoreResponseTypePermissions
Gets or sets a boolean indicating whether response type permissions should be ignored. Setting this property to true is NOT recommended.
Declaration
public bool IgnoreResponseTypePermissions { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
IgnoreScopePermissions
Gets or sets a boolean indicating whether scope permissions should be ignored. Setting this property to true is NOT recommended.
Declaration
public bool IgnoreScopePermissions { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
IntrospectionEndpointUris
Gets the absolute and relative URIs associated to the introspection endpoint.
Declaration
public List<Uri> IntrospectionEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
Issuer
Gets or sets the optional base address used to uniquely identify the authorization server. The URI must be absolute and may contain a path, but no query string or fragment part.
Declaration
public Uri? Issuer { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<Uri> |
JsonWebTokenHandler
Gets or sets the JWT handler used to protect and unprotect tokens.
Declaration
public JsonWebTokenHandler JsonWebTokenHandler { get; set; }Property Value
| Type | Description |
|---|---|
| JsonWebTokenHandler |
LogoutEndpointUris
Gets the absolute and relative URIs associated to the logout endpoint.
Declaration
public List<Uri> LogoutEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
RefreshTokenLifetime
Gets or sets the period of time refresh tokens remain valid after being issued. The default value is 14 days.
The client application is expected to start a whole new authentication flow after the refresh token has expired.
While not recommended, this property can be set to null to issue refresh tokens that never expire.
Declaration
public TimeSpan? RefreshTokenLifetime { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
RefreshTokenReuseLeeway
Gets or sets the period of time rolling refresh tokens marked as redeemed can still be used to make concurrent refresh token requests. The default value is 30 seconds.
Declaration
public TimeSpan? RefreshTokenReuseLeeway { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
RequireProofKeyForCodeExchange
Gets or sets a boolean indicating whether PKCE must be used by client applications when requesting an authorization code (e.g when using the code or hybrid flows). If this property is set to true, authorization requests that lack the code_challenge will be automatically rejected by OpenIddict.
Declaration
public bool RequireProofKeyForCodeExchange { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
ResponseModes
Gets the OAuth 2.0/OpenID Connect response modes enabled for this application.
Declaration
public HashSet<string> ResponseModes { get; }Property Value
| Type | Description |
|---|---|
| HashSet<System.String> |
ResponseTypes
Gets the OAuth 2.0/OpenID Connect response types enabled for this application.
Declaration
public HashSet<string> ResponseTypes { get; }Property Value
| Type | Description |
|---|---|
| HashSet<System.String> |
RevocationEndpointUris
Gets the absolute and relative URIs associated to the revocation endpoint.
Declaration
public List<Uri> RevocationEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
Scopes
Gets the OAuth 2.0/OpenID Connect scopes enabled for this application.
Declaration
public HashSet<string> Scopes { get; }Property Value
| Type | Description |
|---|---|
| HashSet<System.String> |
SigningCredentials
Gets the list of signing credentials used by the OpenIddict server services. Multiple credentials can be added to support key rollover, but if X.509 keys are used, at least one of them must have a valid creation/expiration date. Note: the signing credentials are not used to protect/unprotect tokens issued by ASP.NET Core Data Protection, that uses its own key ring, configured separately.
Declaration
public List<SigningCredentials> SigningCredentials { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<SigningCredentials> |
Remarks
Note: OpenIddict automatically sorts the credentials based on the following algorithm:
- Symmetric keys are always preferred when they can be used for the operation (e.g token signing).
- X.509 keys are always preferred to non-X.509 asymmetric keys.
- X.509 keys with the furthest expiration date are preferred.
- X.509 keys whose backing certificate is not yet valid are never preferred.
TokenEndpointUris
Gets the absolute and relative URIs associated to the token endpoint.
Declaration
public List<Uri> TokenEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
TokenValidationParameters
Gets the token validation parameters used by the OpenIddict server services.
Declaration
public TokenValidationParameters TokenValidationParameters { get; }Property Value
| Type | Description |
|---|---|
| TokenValidationParameters |
UserCodeLifetime
Gets or sets the period of time user codes remain valid after being issued. The default value is 10 minutes.
The client application is expected to start a whole new authentication flow after the user code has expired.
While not recommended, this property can be set to null to issue codes that never expire.
Note: the same value should be chosen for both DeviceCodeLifetime and this property.
Declaration
public TimeSpan? UserCodeLifetime { get; set; }Property Value
| Type | Description |
|---|---|
| System.Nullable<System.TimeSpan> |
UseReferenceAccessTokens
Gets or sets a boolean indicating whether reference access tokens should be used. When set to true, the token payload is stored in the database and a crypto-secure random identifier is returned to the client application. Enabling this option is useful when storing a very large number of claims in the tokens, but it is RECOMMENDED to enable column encryption in the database or use the ASP.NET Core Data Protection integration, that provides additional protection against token leakage.
Declaration
public bool UseReferenceAccessTokens { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
UseReferenceRefreshTokens
Gets or sets a boolean indicating whether reference refresh tokens should be used. When set to true, the token payload is stored in the database and a crypto-secure random identifier is returned to the client application. Enabling this option is useful when storing a very large number of claims in the tokens, but it is RECOMMENDED to enable column encryption in the database or use the ASP.NET Core Data Protection integration, that provides additional protection against token leakage.
Declaration
public bool UseReferenceRefreshTokens { get; set; }Property Value
| Type | Description |
|---|---|
| System.Boolean |
UserinfoEndpointUris
Gets the absolute and relative URIs associated to the userinfo endpoint.
Declaration
public List<Uri> UserinfoEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |
VerificationEndpointUris
Gets the absolute and relative URIs associated to the verification endpoint.
Declaration
public List<Uri> VerificationEndpointUris { get; }Property Value
| Type | Description |
|---|---|
| System.Collections.Generic.List<Uri> |