Added in Unreleased.
AuthorizationServerOptions is the central configuration type for ZeeKayDa.Auth. It controls the issuer identity, published endpoint URLs, and the capability sets advertised in the OpenID Connect discovery document.
Pass an Action<AuthorizationServerOptions> delegate to AddZeeKayDaAuth(...) at service registration time. For step-by-step setup instructions, see Configure ZeeKayDa.Auth. For the discovery document that these options feed, see Discovery endpoint.
Registration
using ZeeKayDa.Auth;
using ZeeKayDa.Auth.AspNetCore.Extensions;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddZeeKayDaAuth(options =>
{
options.Issuer = "https://id.example.com";
});
AddZeeKayDaAuth registers all ZeeKayDa.Auth services and wires ValidateOnStart() so that misconfigured options cause the host to fail fast on startup rather than at request time. It returns a ZeeKayDaAuthBuilder for registering optional features.
Properties
Issuer
| Attribute | Value |
|---|---|
| Type | string? |
| Default | null |
| Required | Yes |
The issuer identifier for this authorization server. Published verbatim as the issuer field in the OpenID Connect discovery document.
The value must be an absolute HTTPS URI with no query string, fragment, or user information. The /.well-known/openid-configuration discovery endpoint is derived from this value.
options.Issuer = "https://id.example.com";
// or, for a path-bearing issuer:
options.Issuer = "https://id.example.com/tenant-a";
Issuer syntax requirements are defined by RFC 8414 §2 and OpenID Connect Discovery 1.0 §1.2.
AllowInsecureIssuer
| Attribute | Value |
|---|---|
| Type | bool |
| Default | false |
| Required | No |
When true, relaxes the HTTPS requirement on Issuer to allow HTTP loopback issuers only. Intended for local development and automated testing only.
Warning: Never set
AllowInsecureIssuer = truein production. An HTTP issuer allows token responses to be intercepted and identity documents to be forged. When this flag is enabled,InsecureIssuerWarningServiceemits a warning viaILoggerat every startup.
// Local development only
options.Issuer = "http://localhost:5000";
options.AllowInsecureIssuer = true;
AuthorizationEndpoint
| Attribute | Value |
|---|---|
| Type | string? |
| Default | null (derived from Issuer) |
| Required | No |
Override for the authorization_endpoint value published in the discovery document. When null, ZeeKayDa.Auth derives the URL from Issuer as {issuer}/connect/authorize.
Set this when the URL your clients should use differs from the issuer-derived default — for example, when a reverse proxy rewrites paths. The value must be an absolute HTTPS URI without user information or fragment. Query strings are permitted by RFC 6749 Section 3.1.
options.AuthorizationEndpoint = "https://login.example.com/tenant-a/connect/authorize";
TokenEndpoint
| Attribute | Value |
|---|---|
| Type | string? |
| Default | null (derived from Issuer) |
| Required | No |
Override for the token_endpoint value published in the discovery document. When null, ZeeKayDa.Auth derives the URL from Issuer as {issuer}/connect/token.
The value must be an absolute HTTPS URI without user information or fragment.
options.TokenEndpoint = "https://login.example.com/tenant-a/connect/token";
JwksUri
| Attribute | Value |
|---|---|
| Type | string? |
| Default | null (derived from Issuer) |
| Required | No |
Override for the jwks_uri value published in the discovery document. When null, ZeeKayDa.Auth derives the URL from Issuer as {issuer}/connect/jwks.
The value must be an absolute HTTPS URI without user information, query, or fragment.
options.JwksUri = "https://login.example.com/tenant-a/connect/jwks";
ResponseTypesSupported
| Attribute | Value |
|---|---|
| Type | ICollection<ResponseType> |
| Default | [ResponseType.Code] |
| Required | Yes (must not be null or empty) |
The response types this server supports. Published as response_types_supported in the discovery document.
| Enum value | JSON serialization |
|---|---|
ResponseType.Code | "code" |
response_types_supported is a required field in the discovery document per OpenID Connect Discovery 1.0 §3.
ResponseModesSupported
| Attribute | Value |
|---|---|
| Type | ICollection<ResponseMode> |
| Default | [ResponseMode.Query] |
| Required | Yes (must not be null) |
The response modes this server supports. Published as response_modes_supported in the discovery document.
| Enum value | JSON serialization |
|---|---|
ResponseMode.Query | "query" |
GrantTypesSupported
| Attribute | Value |
|---|---|
| Type | ICollection<GrantType> |
| Default | [GrantType.AuthorizationCode] |
| Required | Yes (must not be null) |
The grant types this server supports. Published as grant_types_supported in the discovery document.
| Enum value | JSON serialization |
|---|---|
GrantType.AuthorizationCode | "authorization_code" |
grant_types_supported is an authorization server metadata field defined by RFC 8414 §2.
TokenEndpointAuthMethodsSupported
| Attribute | Value |
|---|---|
| Type | ICollection<TokenEndpointAuthMethod> |
| Default | [TokenEndpointAuthMethod.ClientSecretBasic] |
| Required | Yes (must not be null) |
The client authentication methods supported at the token endpoint. Published as token_endpoint_auth_methods_supported in the discovery document.
| Enum value | JSON serialization |
|---|---|
TokenEndpointAuthMethod.ClientSecretBasic | "client_secret_basic" |
token_endpoint_auth_methods_supported is defined by RFC 8414 §2.
IdTokenSigningAlgValuesSupported
| Attribute | Value |
|---|---|
| Type | ICollection<SigningAlgorithm> |
| Default | [SigningAlgorithm.RS256] |
| Required | Yes (must not be null or empty) |
The signing algorithms supported for ID tokens. Published as id_token_signing_alg_values_supported in the discovery document.
| Enum value | JSON serialization |
|---|---|
SigningAlgorithm.RS256 | "RS256" |
SigningAlgorithm.RS384 | "RS384" |
SigningAlgorithm.RS512 | "RS512" |
SigningAlgorithm.ES256 | "ES256" |
SigningAlgorithm.ES384 | "ES384" |
SigningAlgorithm.ES512 | "ES512" |
SigningAlgorithm.PS256 | "PS256" |
SigningAlgorithm.PS384 | "PS384" |
SigningAlgorithm.PS512 | "PS512" |
id_token_signing_alg_values_supported is a required field in the discovery document per OpenID Connect Discovery 1.0 §3.
DiscoveryDocumentCacheMaxAgeSeconds
| Attribute | Value |
|---|---|
| Type | int |
| Default | 3600 |
| Required | No |
The max-age value, in seconds, for the discovery endpoint’s Cache-Control header. The default response is:
Cache-Control: public, max-age=3600, must-revalidate
Set the value to 0 to disable public caching:
Cache-Control: no-store
Negative values fail startup validation.
Startup validation
AuthorizationServerOptionsValidator validates AuthorizationServerOptions at host startup via ValidateOnStart(). The host will not start if any rule below is violated.
| Rule | Condition that causes failure |
|---|---|
Issuer is required | Issuer is null, empty, or whitespace |
Issuer must be absolute | Issuer is not an absolute URI |
Issuer must not have a query string | Issuer contains a ? component |
Issuer must not have a fragment | Issuer contains a # component |
Issuer must use HTTPS | Issuer uses HTTP and AllowInsecureIssuer is false |
| HTTP issuer must be loopback | Issuer uses HTTP with a non-loopback host |
Issuer must not have user information | Issuer contains user:password@host userinfo |
| Endpoint overrides must be absolute HTTPS URIs | an override is relative, uses an unsupported scheme, or uses HTTP without AllowInsecureIssuer |
| HTTP endpoint overrides must be loopback | an override uses HTTP with a non-loopback host |
| Endpoint overrides must not have user information | an override contains user:password@host userinfo |
| Endpoint fragments are rejected | AuthorizationEndpoint, TokenEndpoint, or JwksUri contains # |
JwksUri must not have a query string | JwksUri contains ? |
ResponseTypesSupported is required | ResponseTypesSupported is null or empty |
ResponseModesSupported is required | ResponseModesSupported is null |
GrantTypesSupported is required | GrantTypesSupported is null |
TokenEndpointAuthMethodsSupported is required | TokenEndpointAuthMethodsSupported is null |
IdTokenSigningAlgValuesSupported is required | IdTokenSigningAlgValuesSupported is null or empty |
| Cache max-age must not be negative | DiscoveryDocumentCacheMaxAgeSeconds is less than 0 |
Validation errors are reported as OptionsValidationException and prevent the host from starting. They are visible in the startup output and host logs.
Note: Startup validation only checks
AuthorizationServerOptions. Other configuration objects (for example, scope registrations) have their own validation rules.
Related pages
- Configure ZeeKayDa.Auth — step-by-step setup guide
- Configure discovery — how to tune the discovery document
- Discovery endpoint — full contract for the discovery endpoint