Share via


OpenIdConnectOptions Class

Definition

Configuration options for OpenIdConnectHandler

public ref class OpenIdConnectOptions : Microsoft::AspNetCore::Authentication::RemoteAuthenticationOptions
public class OpenIdConnectOptions : Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptions
type OpenIdConnectOptions = class
    inherit RemoteAuthenticationOptions
Public Class OpenIdConnectOptions
Inherits RemoteAuthenticationOptions
Inheritance

Constructors

OpenIdConnectOptions()

Initializes a new OpenIdConnectOptions

Properties

AccessDeniedPath

Gets or sets the optional path the user agent is redirected to if the user doesn't approve the authorization demand requested by the remote server. This property is not set by default. In this case, an exception is thrown if an access_denied response is returned by the remote authorization server.

(Inherited from RemoteAuthenticationOptions)
AdditionalAuthorizationParameters

Gets the additional parameters that will be included in the authorization request.

AuthenticationMethod

Gets or sets the method used to redirect the user agent to the identity provider.

Authority

Gets or sets the Authority to use when making OpenIdConnect calls.

AutomaticRefreshInterval

Gets or sets how often an automatic metadata refresh should occur.

Backchannel

Used to communicate with the remote identity provider.

(Inherited from RemoteAuthenticationOptions)
BackchannelHttpHandler

The HttpMessageHandler used to communicate with remote identity provider. This cannot be set at the same time as BackchannelCertificateValidator unless the value can be downcast to a WebRequestHandler.

(Inherited from RemoteAuthenticationOptions)
BackchannelTimeout

Gets or sets timeout value in milliseconds for back channel communications with the remote identity provider.

(Inherited from RemoteAuthenticationOptions)
CallbackPath

The request path within the application's base path where the user-agent will be returned. The middleware will process this request when it arrives.

(Inherited from RemoteAuthenticationOptions)
ClaimActions

A collection of claim actions used to select values from the json user data and create Claims.

ClaimsIssuer

Gets or sets the issuer that should be used for any claims that are created

(Inherited from AuthenticationSchemeOptions)
ClientId

Gets or sets the 'client_id'.

ClientSecret

Gets or sets the 'client_secret'.

Configuration

Configuration provided directly by the developer. If provided, then MetadataAddress and the Backchannel properties will not be used. This information should not be updated during request processing.

ConfigurationManager

Responsible for retrieving, caching, and refreshing the configuration from metadata. If not provided, then one will be created using the MetadataAddress and Backchannel properties.

CorrelationCookie

Determines the settings used to create the correlation cookie before the cookie gets added to the response.

(Inherited from RemoteAuthenticationOptions)
DataProtectionProvider

Gets or sets the type used to secure data.

(Inherited from RemoteAuthenticationOptions)
DisableTelemetry

Indicates whether telemetry should be disabled. When this feature is enabled, the assembly version of the Microsoft IdentityModel packages is sent to the remote OpenID Connect provider as an authorization/logout request parameter.

Events

Gets or sets the OpenIdConnectEvents to notify when processing OpenIdConnect messages.

EventsType

If set, will be used as the service type to get the Events instance instead of the property.

(Inherited from AuthenticationSchemeOptions)
ForwardAuthenticate

If set, this specifies the target scheme that this scheme should forward AuthenticateAsync calls to. For example Context.AuthenticateAsync("ThisScheme") => Context.AuthenticateAsync("ForwardAuthenticateValue"); Set the target to the current scheme to disable forwarding and allow normal processing.

(Inherited from AuthenticationSchemeOptions)
ForwardChallenge

If set, this specifies the target scheme that this scheme should forward ChallengeAsync calls to. For example Context.ChallengeAsync("ThisScheme") => Context.ChallengeAsync("ForwardChallengeValue"); Set the target to the current scheme to disable forwarding and allow normal processing.

(Inherited from AuthenticationSchemeOptions)
ForwardDefault

If set, this specifies a default scheme that authentication handlers should forward all authentication operations to by default. The default forwarding logic will check the most specific ForwardAuthenticate/Challenge/Forbid/SignIn/SignOut setting first, followed by checking the ForwardDefaultSelector, followed by ForwardDefault. The first non null result will be used as the target scheme to forward to.

(Inherited from AuthenticationSchemeOptions)
ForwardDefaultSelector

Used to select a default scheme for the current request that authentication handlers should forward all authentication operations to by default. The default forwarding logic will check the most specific ForwardAuthenticate/Challenge/Forbid/SignIn/SignOut setting first, followed by checking the ForwardDefaultSelector, followed by ForwardDefault. The first non null result will be used as the target scheme to forward to.

(Inherited from AuthenticationSchemeOptions)
ForwardForbid

If set, this specifies the target scheme that this scheme should forward ForbidAsync calls to. For example Context.ForbidAsync("ThisScheme") => Context.ForbidAsync("ForwardForbidValue"); Set the target to the current scheme to disable forwarding and allow normal processing.

(Inherited from AuthenticationSchemeOptions)
ForwardSignIn

If set, this specifies the target scheme that this scheme should forward SignInAsync calls to. For example Context.SignInAsync("ThisScheme") => Context.SignInAsync("ForwardSignInValue"); Set the target to the current scheme to disable forwarding and allow normal processing.

(Inherited from AuthenticationSchemeOptions)
ForwardSignOut

If set, this specifies the target scheme that this scheme should forward SignOutAsync calls to. For example Context.SignOutAsync("ThisScheme") => Context.SignOutAsync("ForwardSignOutValue"); Set the target to the current scheme to disable forwarding and allow normal processing.

(Inherited from AuthenticationSchemeOptions)
GetClaimsFromUserInfoEndpoint

Boolean to set whether the handler should go to user info endpoint to retrieve additional claims or not after creating an identity from id_token received from token endpoint. The default is 'false'.

MapInboundClaims

Gets or sets the MapInboundClaims property on the default instance of JwtSecurityTokenHandler in SecurityTokenValidator and default instance of JsonWebTokenHandler in TokenHandler, which is used when determining whether or not to map claim types that are extracted when validating a JwtSecurityToken.

If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.

The default value is true.

MaxAge

Gets or sets the 'max_age'. If set the 'max_age' parameter will be sent with the authentication request. If the identity provider has not actively authenticated the user within the length of time specified, the user will be prompted to re-authenticate. By default no max_age is specified.

MetadataAddress

Gets or sets the discovery endpoint for obtaining metadata

NonceCookie

Determines the settings used to create the nonce cookie before the cookie gets added to the response.

Prompt

Gets or sets the 'prompt'.

ProtocolValidator

Gets or sets the OpenIdConnectProtocolValidator that is used to ensure that the 'id_token' received is valid per: http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

PushedAuthorizationBehavior

Controls wether the handler should push authorization parameters on the backchannel before redirecting to the identity provider. See https://tools.ietf.org/html/9126.

RefreshInterval

Gets or sets the minimum time between retrievals, in the event that a retrieval failed, or that a refresh was explicitly requested.

RefreshOnIssuerKeyNotFound

Gets or sets if a metadata refresh should be attempted after a SecurityTokenSignatureKeyNotFoundException. This allows for automatic recovery in the event of a signature key rollover. This is enabled by default.

RemoteAuthenticationTimeout

Gets or sets the time limit for completing the authentication flow (15 minutes by default).

(Inherited from RemoteAuthenticationOptions)
RemoteSignOutPath

Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.

RequireHttpsMetadata

Gets or sets if HTTPS is required for the metadata address or authority. The default is true. This should be disabled only in development environments.

Resource

Gets or sets the 'resource'.

ResponseMode

Gets or sets the 'response_mode'.

ResponseType

Gets or sets the 'response_type'.

ReturnUrlParameter

Gets or sets the name of the parameter used to convey the original location of the user before the remote challenge was triggered up to the access denied page. This property is only used when the AccessDeniedPath is explicitly specified.

(Inherited from RemoteAuthenticationOptions)
SaveTokens

Defines whether access and refresh tokens should be stored in the AuthenticationProperties after a successful authorization. This property is set to false by default to reduce the size of the final authentication cookie.

(Inherited from RemoteAuthenticationOptions)
Scope

Gets the list of permissions to request.

SecurityTokenValidator
Obsolete.

Gets or sets the ISecurityTokenValidator used to validate identity tokens.

SignedOutCallbackPath

The request path within the application's base path where the user agent will be returned after sign out from the identity provider. See post_logout_redirect_uri from http://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout.

SignedOutRedirectUri

The uri where the user agent will be redirected to after application is signed out from the identity provider. The redirect will happen after the SignedOutCallbackPath is invoked.

SignInScheme

Gets or sets the authentication scheme corresponding to the middleware responsible for persisting user's identity after a successful authentication. This value typically corresponds to a cookie middleware registered in the Startup class. When omitted, DefaultSignInScheme is used as a fallback value.

(Inherited from RemoteAuthenticationOptions)
SignOutScheme

The Authentication Scheme to use with SignOut on the SignOutPath. SignInScheme will be used if this is not set.

SkipUnrecognizedRequests

Indicates if requests to the CallbackPath may also be for other components. If enabled the handler will pass requests through that do not contain OpenIdConnect authentication responses. Disabling this and setting the CallbackPath to a dedicated endpoint may provide better error handling. This is disabled by default.

StateDataFormat

Gets or sets the type used to secure data handled by the handler.

StringDataFormat

Gets or sets the type used to secure strings used by the handler.

TimeProvider

Used for testing.

(Inherited from AuthenticationSchemeOptions)
TokenHandler

Gets or sets the TokenHandler used to validate identity tokens.

This will be used instead of SecurityTokenValidator if UseSecurityTokenValidator is false.

TokenValidationParameters

Gets or sets the parameters used to validate identity tokens.

UsePkce

Enables or disables the use of the Proof Key for Code Exchange (PKCE) standard. This only applies when the ResponseType is set to Code. See https://tools.ietf.org/html/rfc7636. The default value is true.

UseSecurityTokenValidator

Gets or sets whether to use the TokenHandler or the SecurityTokenValidator for validating identity tokens.

UseTokenLifetime

Indicates that the authentication session lifetime (e.g. cookies) should match that of the authentication token. If the token does not provide lifetime information then normal session lifetimes will be used. This is disabled by default.

Methods

Validate()

Check that the options are valid. Should throw an exception if things are not ok.

Validate(String)

Checks that the options are valid for a specific scheme

(Inherited from RemoteAuthenticationOptions)

Applies to