Merge pull request #808 from DuendeSoftware/release/im-7.1

IdentityModel 7.1

Author: maartenba

src/content/docs/identitymodel/endpoints/discovery.md

@@ -4,21 +4,22 @@ description: Documentation for using the OpenID Connect discovery endpoint clien
 sidebar:
   order: 2
   label: Discovery
+  badge:
+    text: v7.1
+    variant: tip
 redirect_from:
   - /foss/identitymodel/endpoints/discovery/
 ---
 
 The client library for the [OpenID Connect discovery
 endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html) is
 provided as an extension method for `HttpClient`. The
-`GetDiscoveryDocumentAsync` method returns a `DiscoveryResponse` object
+`GetDiscoveryDocumentAsync` method returns a `DiscoveryDocumentResponse` object
 that has both strong and weak typed accessors for the various elements
 of the discovery document.
 
 You should always check the `IsError` and `Error` properties before
-accessing the contents of the document.
-
-Example:
+accessing the contents of the document:
 
 ```csharp
 var client = new HttpClient();
@@ -27,7 +28,7 @@ var disco = await client.GetDiscoveryDocumentAsync("https://demo.duendesoftware.
 if (disco.IsError) throw new Exception(disco.Error);
 ```
 
-Standard elements can be accessed by using properties:
+[Standard elements](#discoverydocumentresponse-properties-reference) can be accessed by using properties:
 
 ```csharp
 var tokenEndpoint = disco.TokenEndpoint;
@@ -61,7 +62,7 @@ By default, the discovery response is validated before it is returned to the cli
 -   enforce the existence of a keyset
 
 Policy violation errors will set the `ErrorType` property on the
-`DiscoveryResponse` to `PolicyViolation`.
+`DiscoveryDocumentResponse` to `PolicyViolation`.
 
 All the standard validation rules can be modified using the
 `DiscoveryPolicy` class, e.g. disabling the issuer name check:
@@ -148,3 +149,54 @@ services.AddSingleton<IDiscoveryCache>(r =>
     return new DiscoveryCache(Constants.Authority, () => factory.CreateClient());
 });
 ```
+
+### DiscoveryDocumentResponse Properties Reference
+
+The following table lists the standard properties on the `DiscoveryDocumentResponse` class:
+
+| Property                                              | Description                                                                                                                                     |
+|-------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------|
+| Policy                                                | Gets or sets the discovery policy used to configure how the discovery document is processed                                                     |
+| KeySet                                                | Gets or sets the JSON Web Key Set (JWKS) associated with the discovery document                                                                 |
+| MtlsEndpointAliases                                   | Gets the mutual TLS (mTLS) endpoint aliases                                                                                                     |
+| Issuer                                                | Gets the issuer identifier for the authorization server                                                                                         |
+| AuthorizeEndpoint                                     | Gets the authorization endpoint URL                                                                                                             |
+| TokenEndpoint                                         | Gets token endpoint URL                                                                                                                         |
+| UserInfoEndpoint                                      | Gets user info endpoint URL                                                                                                                     |
+| IntrospectionEndpoint                                 | Gets the introspection endpoint URL                                                                                                             |
+| RevocationEndpoint                                    | Gets the revocation endpoint URL                                                                                                                |
+| DeviceAuthorizationEndpoint                           | Gets the device authorization endpoint URL                                                                                                      |
+| BackchannelAuthenticationEndpoint                     | Gets the backchannel authentication endpoint URL                                                                                                |
+| JwksUri                                               | Gets the URI of the JSON Web Key Set (JWKS)                                                                                                     |
+| EndSessionEndpoint                                    | Gets the end session endpoint URL                                                                                                               |
+| CheckSessionIframe                                    | Gets the check session iframe URL                                                                                                               |
+| RegistrationEndpoint                                  | Gets the dynamic client registration (DCR) endpoint URL                                                                                         |
+| PushedAuthorizationRequestEndpoint                    | Gets the pushed authorization request (PAR) endpoint URL                                                                                        |
+| FrontChannelLogoutSupported                           | Gets a flag indicating whether front-channel logout is supported                                                                                |
+| FrontChannelLogoutSessionSupported                    | Gets a flag indicating whether a session ID (sid) parameter is supported at the front-channel logout endpoint                                   |
+| GrantTypesSupported                                   | Gets the supported grant types                                                                                                                  |
+| CodeChallengeMethodsSupported                         | Gets the supported code challenge methods                                                                                                       |
+| ScopesSupported                                       | Gets the supported scopes                                                                                                                       |
+| SubjectTypesSupported                                 | Gets the supported subject types                                                                                                                |
+| ResponseModesSupported                                | Gets the supported response modes                                                                                                               |
+| ResponseTypesSupported                                | Gets the supported response types                                                                                                               |
+| ClaimsSupported                                       | Gets the supported claims                                                                                                                       |
+| TokenEndpointAuthenticationMethodsSupported           | Gets the authentication methods supported by the token endpoint                                                                                 |
+| TokenEndpointAuthenticationSigningAlgorithmsSupported | Gets the signing algorithms supported by the token endpoint for client authentication                                                           |
+| BackchannelTokenDeliveryModesSupported                | Gets the supported backchannel token delivery modes                                                                                             |
+| BackchannelUserCodeParameterSupported                 | Gets a flag indicating whether the backchannel user code parameter is supported                                                                 |
+| RequirePushedAuthorizationRequests                    | Gets a flag indicating whether the use of pushed authorization requests (PAR) is required                                                       |
+| IntrospectionSigningAlgorithmsSupported               | Gets the signing algorithms supported for introspection responses                                                                               |
+| IntrospectionEncryptionAlgorithmsSupported            | Gets the encryption "alg" values supported for encrypted JWT introspection responses                                                            |
+| IntrospectionEncryptionEncValuesSupported             | Gets the encryption "enc" values supported for encrypted JWT introspection responses                                                            |
+| Scopes                                                | The list of scopes associated to the token or an empty array if no `scope` claim is present                                                     |
+| ClientId                                              | The client identifier for the OAuth 2.0 client that requested the token or `null` if the `client_id` claim is missing                           |
+| UserName                                              | The human-readable identifier for the resource owner who authorized the token or `null` if the `username` claim is missing                      |
+| TokenType                                             | The type of the token as defined in section 5.1 of OAuth 2.0 (RFC6749) or `null` if the `token_type` claim is missing                           |
+| Expiration                                            | The expiration time of the token or `null` if the `exp` claim is missing                                                                        |
+| IssuedAt                                              | The issuance time of the token or `null` if the `iat` claim is missing                                                                          |
+| NotBefore                                             | The validity start time of the token or `null` if the `nbf` claim is missing                                                                    |
+| Subject                                               | The subject of the token or `null` if the `sub` claim is missing                                                                                |
+| Audiences                                             | The service-specific list of string identifiers representing the intended audience for the token or an empty array if no `aud` claim is present |
+| Issuer                                                | The string representing the issuer of the token or `null` if the `iss` claim is missing                                                         |
+| JwtId                                                 | The string identifier for the token or `null` if the `jti` claim is missing                                                                     |

src/content/docs/identitymodel/endpoints/general-usage.md

@@ -17,11 +17,11 @@ the client for the token endpoint.
 ## Request and response objects
 
 
-All protocol request are modelled as request objects and have a common
-base class called *ProtocolRequest* which has properties to set the
+All protocol request are modeled as request objects and have a common
+base class called `ProtocolRequest` which has properties to set the
 endpoint address, client ID, client secret, client assertion, and the
 details of how client secrets are transmitted (e.g. authorization header
-vs POST body). *ProtocolRequest* derives from *HttpRequestMessage* and
+vs POST body). `ProtocolRequest` derives from `HttpRequestMessage` and
 thus also allows setting custom headers etc.
 
 The following code snippet creates a request for a client credentials
@@ -36,16 +36,16 @@ var request = new ClientCredentialsTokenRequest
 };
 ```
 
-While in theory you could now call *Prepare* (which internally sets the
+While in theory you could now call `Prepare` (which internally sets the
 headers, body and address) and send the request via a plain
-*HttpClient*, typically there are more parameters with special semantics
+`HttpClient`, typically there are more parameters with special semantics
 and encoding required. That's why we provide extension methods to do
 the low level work.
 
-Equally, a protocol response has a corresponding *ProtocolResponse*
+Equally, a protocol response has a corresponding `ProtocolResponse`
 implementation that parses the status codes and response content. The
 following code snippet would parse the raw HTTP response from a token
-endpoint and turn it into a *TokenResponse* object:
+endpoint and turn it into a `TokenResponse` object:
 
 ```cs
 var tokenResponse = await ProtocolResponse
@@ -58,12 +58,12 @@ have a look at an example next.
 ## Extension methods
 
 For each protocol interaction, an extension method for
-*HttpMessageInvoker* (that's the base class of *HttpClient*) exists.
+`HttpMessageInvoker` (that's the base class of `HttpClient`) exists.
 The extension methods expect a request object and return a response
 object.
 
 It is your responsibility to set up and manage the lifetime of the
-*HttpClient*, e.g. manually:
+`HttpClient`, e.g. manually:
 
 ```cs
 var client = new HttpClient();
@@ -77,7 +77,7 @@ var response = await client.RequestClientCredentialsTokenAsync(
     });
 ```
 
-You might want to use other techniques to obtain an *HttpClient*, e.g.
+You might want to use other techniques to obtain an `HttpClient`, e.g.
 via the HTTP client factory:
 
 ```cs
@@ -96,7 +96,7 @@ All other endpoint client follow the same design.
 
 :::note
 Some client libraries also include a stateful client object (e.g.
-*TokenClient* and *IntrospectionClient*). See the corresponding section
+`TokenClient` and `IntrospectionClient`). See the corresponding section
 to find out more.
 :::
 
@@ -108,9 +108,9 @@ HTTP Basic authentication encoding issues.
 :::
 
 
-Any request type implementing *ProtocolRequest* has the ability to configure
+Any request type implementing `ProtocolRequest` has the ability to configure
 the client credential style, which specifies how the client will transmit the client ID and secret.
-*ClientCredentialStyle* options include *PostBody* and the default value of *AuthorizationHeader*.
+`ClientCredentialStyle` options include `PostBody` and the default value of `AuthorizationHeader`.
 
 ```cs
 var client = HttpClientFactory.CreateClient("my_named_token_client");
@@ -131,7 +131,7 @@ specification version you are targeting. When using IdentityServer, both header
 are supported and _"it just works"_.
 
 [RFC 6749](https://datatracker.ietf.org/doc/rfc6749/), the original OAuth spec, says that support for the basic auth header is mandatory, 
-and that the POST body is optional. OAuth 2.1 reverses this - now the body is mandatory and the header is optional.
+and that the POST body is optional. OAuth 2.1 reverses this: now the body is mandatory and the header is optional.
 
 In the previous OAuth specification version, the header caused bugs and interoperability problems. To follow
 both RFC 6749 and RFC 2617 (which is where basic auth headers are specified), you have to form url encode the client id and client secret, 
@@ -145,22 +145,22 @@ References:
 - [RFC 2617 section 2](https://www.rfc-editor.org/rfc/rfc2617#section-2)
 - [OAuth 2.1 Draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/)
 
-Here is a complete list of *ProtocolRequest* implementors that expose the *ClientCredentialStyle* option:
-
-- *Duende.IdentityModel.Client.AuthorizationCodeTokenRequest*
-- *Duende.IdentityModel.Client.BackchannelAuthenticationRequest*
-- *Duende.IdentityModel.Client.BackchannelAuthenticationTokenRequest*
-- *Duende.IdentityModel.Client.ClientCredentialsTokenRequest*
-- *Duende.IdentityModel.Client.DeviceAuthorizationRequest*
-- *Duende.IdentityModel.Client.DeviceTokenRequest*
-- *Duende.IdentityModel.Client.DiscoveryDocumentRequest*
-- *Duende.IdentityModel.Client.DynamicClientRegistrationRequest*
-- *Duende.IdentityModel.Client.JsonWebKeySetRequest*
-- *Duende.IdentityModel.Client.PasswordTokenRequest*
-- *Duende.IdentityModel.Client.PushedAuthorizationRequest*
-- *Duende.IdentityModel.Client.RefreshTokenRequest*
-- *Duende.IdentityModel.Client.TokenExchangeTokenRequest*
-- *Duende.IdentityModel.Client.TokenIntrospectionRequest*
-- *Duende.IdentityModel.Client.TokenRequest*
-- *Duende.IdentityModel.Client.TokenRevocationRequest*
-- *Duende.IdentityModel.Client.UserInfoRequest*
+Here is a complete list of `ProtocolRequest` implementors that expose the `ClientCredentialStyle` option:
+
+- `Duende.IdentityModel.Client.AuthorizationCodeTokenRequest`
+- `Duende.IdentityModel.Client.BackchannelAuthenticationRequest`
+- `Duende.IdentityModel.Client.BackchannelAuthenticationTokenRequest`
+- `Duende.IdentityModel.Client.ClientCredentialsTokenRequest`
+- `Duende.IdentityModel.Client.DeviceAuthorizationRequest`
+- `Duende.IdentityModel.Client.DeviceTokenRequest`
+- `Duende.IdentityModel.Client.DiscoveryDocumentRequest`
+- `Duende.IdentityModel.Client.DynamicClientRegistrationRequest`
+- `Duende.IdentityModel.Client.JsonWebKeySetRequest`
+- `Duende.IdentityModel.Client.PasswordTokenRequest`
+- `Duende.IdentityModel.Client.PushedAuthorizationRequest`
+- `Duende.IdentityModel.Client.RefreshTokenRequest`
+- `Duende.IdentityModel.Client.TokenExchangeTokenRequest`
+- `Duende.IdentityModel.Client.TokenIntrospectionRequest`
+- `Duende.IdentityModel.Client.TokenRequest`
+- `Duende.IdentityModel.Client.TokenRevocationRequest`
+- `Duende.IdentityModel.Client.UserInfoRequest`