OAuthAuthorizationServerOptions Properties
The OAuthAuthorizationServerOptions type exposes the following members.
Properties
| Name | Description | |
|---|---|---|
.gif "Public property") |
AccessTokenExpireTimeSpan | The period of time the access token remains valid after being issued. The default is twenty minutes. The client application is expected to refresh or acquire a new access token after the token has expired. |
|
AccessTokenFormat | The data format used to protect the information contained in the access token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server. |
|
AccessTokenProvider | Produces a bearer token the client application will typically be providing to resource server as the authorization bearer http request header. If not provided the token produced on the server's default data protection. If a different access token provider or format is assigned, a compatible instance must be assigned to the OAuthBearerAuthenticationOptions.AccessTokenProvider or OAuthBearerAuthenticationOptions.AccessTokenFormat property of the resource server. |
|
AllowInsecureHttp | True to allow authorize and token requests to arrive on http URI addresses, and to allow incoming redirect_uri authorize request parameter to have http URI addresses. |
|
ApplicationCanDisplayErrors | Set to true if the web application is able to render error messages on the /Authorize endpoint. This is only needed for cases where the browser is not redirected back to the client application, for example, when the client_id or redirect_uri are incorrect. The /Authorize endpoint should expect to see "oauth.Error", "oauth.ErrorDescription", "oauth.ErrorUri" properties added to the owin environment. |
|
AuthenticationMode | If Active the authentication middleware alter the request user coming in and alter 401 Unauthorized responses going out. If Passive the authentication middleware will only provide identity and alter responses when explicitly indicated by the AuthenticationType. (Inherited from AuthenticationOptions.) |
|
AuthenticationType | The AuthenticationType in the options corresponds to the IIdentity AuthenticationType property. A different value may be assigned in order to use the same authentication middleware type more than once in a pipeline. (Inherited from AuthenticationOptions.) |
|
AuthorizationCodeExpireTimeSpan | The period of time the authorization code remains valid after being issued. The default is five minutes. This time span must also take into account clock synchronization between servers in a web farm, so a very brief value could result in unexpectedly expired tokens. |
|
AuthorizationCodeFormat | The data format used to protect and unprotect the information contained in the authorization code. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. |
|
AuthorizationCodeProvider | Produces a single-use authorization code to return to the client application. For the OAuth server to be secure the application MUST provide an instance for AuthorizationCodeProvider where the token produced by the OnCreate or OnCreateAsync event is considered valid for only one call to OnReceive or OnReceiveAsync. |
|
AuthorizeEndpointPath | The request path where client applications will redirect the user-agent in order to obtain user consent to issue a token. Must begin with a leading slash, like "/Authorize". |
|
Description | Additional information about the authentication type which is made available to the application. (Inherited from AuthenticationOptions.) |
|
Provider | The object provided by the application to process events raised by the Authorization Server middleware. The application may implement the interface fully, or it may create an instance of OAuthAuthorizationServerProvider and assign delegates only to the events it wants to process. |
|
RefreshTokenFormat | The data format used to protect and unprotect the information contained in the refresh token. If not provided by the application the default data protection provider depends on the host server. The SystemWeb host on IIS will use ASP.NET machine key data protection, and HttpListener and other self-hosted servers will use DPAPI data protection. |
|
RefreshTokenProvider | Produces a refresh token which may be used to produce a new access token when needed. If not provided the authorization server will not return refresh tokens from the /Token endpoint. |
|
SystemClock | Used to know what the current clock time is when calculating or validaing token expiration. When not assigned default is based on DateTimeOffset.UtcNow. This is typically needed only for unit testing. |
|
TokenEndpointPath | The request path client applications communicate with directly as part of the OAuth protocol. Must begin with a leading slash, like "/Token". If the client is issued a client_secret, it must be provided to this endpoint. |
Top