Skip to content
Introducing the next era of Duende IdentityServer. Read our CEO’s announcement

OidcClientOptions Reference

This page provides a complete reference for all OidcClientOptions properties. For a quick start, see Automatic Mode or Manual Mode.

These properties must be configured for basic operation:

PropertyTypeDescription
AuthoritystringThe OpenID Connect provider URL (e.g., https://demo.duendesoftware.com)
ClientIdstringThe OAuth client identifier registered with the provider
RedirectUristringThe URI where the browser redirects after authentication
ScopestringSpace-separated list of scopes to request (must include openid)
var options = new OidcClientOptions
{
Authority = "https://demo.duendesoftware.com",
ClientId = "native",
RedirectUri = "app://callback",
Scope = "openid profile email offline_access"
};
PropertyTypeDefaultDescription
BrowserIBrowsernullBrowser implementation for user interaction
BrowserTimeoutTimeSpan5 minTimeout for browser-based operations
PropertyTypeDescription
ClientSecretstringClient secret for confidential clients
ClientAssertionClientAssertionClient assertion for JWT client authentication
GetClientAssertionAsyncFunc<Task<ClientAssertion>>Callback for dynamic client assertion
TokenClientCredentialStyleClientCredentialStyleHow credentials are sent (default: POST body)
// Confidential client with secret
options.ClientSecret = "secret";
// Or with client assertion (e.g., private_key_jwt)
options.ClientAssertion = new ClientAssertion
{
Type = OidcConstants.ClientAssertionTypes.JwtBearer,
Value = GenerateClientAssertion()
};
PropertyTypeDefaultDescription
LoadProfilebooltrueLoad claims from userinfo endpoint
FilterClaimsbooltrueFilter protocol claims from user claims
FilteredClaimsICollection<string>(various)Claim types to filter out
ClockSkewTimeSpan5 minClock skew tolerance for token validation
PropertyTypeDefaultDescription
ProviderInformationProviderInformationnullManual provider configuration (skips discovery)
RefreshDiscoveryDocumentForLoginboolfalseRe-fetch discovery on each login
RefreshDiscoveryOnSignatureFailurebooltrueRe-fetch discovery when signature validation fails

For offline scenarios or providers without discovery:

options.ProviderInformation = new ProviderInformation
{
IssuerName = "https://idp.example.com",
AuthorizeEndpoint = "https://idp.example.com/authorize",
TokenEndpoint = "https://idp.example.com/token",
UserInfoEndpoint = "https://idp.example.com/userinfo",
EndSessionEndpoint = "https://idp.example.com/endsession",
KeySet = loadedKeySet
};
PropertyTypeDescription
PostLogoutRedirectUristringURI for redirect after logout
PropertyTypeDescription
BackchannelHandlerHttpMessageHandlerCustom handler for back-channel requests
BackchannelTimeoutTimeSpanTimeout for token/userinfo requests
RefreshTokenInnerHttpHandlerHttpMessageHandlerInner handler for refresh token handler
HttpClientFactoryFunc<OidcClientOptions, HttpClient>Factory for creating HttpClient instances
// Custom handler for debugging or proxying
options.BackchannelHandler = new HttpClientHandler
{
Proxy = new WebProxy("http://localhost:8888")
};
options.BackchannelTimeout = TimeSpan.FromSeconds(30);
PropertyTypeDefaultDescription
DisablePushedAuthorizationboolfalseDisable PAR even if supported

PAR is automatically used when the provider supports it unless disabled.

PropertyTypeDescription
ResourceICollection<string>Resource indicators for token requests
options.Resource = new[] { "urn:api:resource1", "urn:api:resource2" };
PropertyTypeDefaultDescription
StateLengthint64Length of generated state parameter
PropertyTypeDescription
LoggerFactoryILoggerFactoryLogger factory for diagnostic logging

See Logging for details.

PropertyTypeDescription
PolicyPolicyValidation policy settings
IdentityTokenValidatorIIdentityTokenValidatorCustom token validator
PropertyTypeDefaultDescription
DiscoveryDiscoveryPolicy(default)Discovery document validation settings
RequireAccessTokenHashboolfalseRequire at_hash claim in ID token
RequireIdentityTokenOnRefreshTokenResponseboolfalseRequire ID token on refresh
RequireIdentityTokenSignaturebooltrueRequire signed ID tokens
ValidateTokenIssuerNamebooltrueValidate issuer matches
ValidSignatureAlgorithmsICollection<string>(asymmetric)Allowed signing algorithms
options.Policy = new Policy
{
RequireAccessTokenHash = true,
ValidSignatureAlgorithms = new[] { "RS256", "ES256" }
};
var options = new OidcClientOptions
{
// Required
Authority = "https://demo.duendesoftware.com",
ClientId = "native",
RedirectUri = "app://callback",
Scope = "openid profile email offline_access api",
// Logout
PostLogoutRedirectUri = "app://logout",
// Browser
Browser = new SystemBrowser(),
BrowserTimeout = TimeSpan.FromMinutes(2),
// Claims
LoadProfile = true,
FilterClaims = true,
// Validation
ClockSkew = TimeSpan.FromMinutes(5),
// Logging
LoggerFactory = loggerFactory,
// HTTP
BackchannelTimeout = TimeSpan.FromSeconds(30)
};
var client = new OidcClient(options);