The URL host of the protected API. The "u" part of a signed HTTP request. This MAY include the port separated from the host by a colon in host:port format. Optional.

The HTTP method ("GET", "POST" etc.) method that will be bound to the token. Leave null and the POP token will not be bound to the method. Corresponds to the "m" part of the a signed HTTP request. Optional.

The "p" part of the signed HTTP request.

If the protected resource (RP) requires use of a special nonce, they will publish it as part of the WWWAuthenticate header associated with a 401 HTTP response or as part of the AuthorityInfo header associated with 200 response. Set it here to make it part of the Signed HTTP Request part of the POP token.

An extensibility point that allows developers to define their own key management. Leave null and MSAL will use a default implementation, which generates an RSA key pair in memory and refreshes it every 8 hours. Important note: if you want to change the key (e.g. rotate the key), you should create a new instance of this object, as MSAL.NET will keep a thumbprint of keys in memory.

Allows app developers to bypass the creation of the SignedHttpRequest envelope by setting this property to false. App developers can use a package like Microsoft.IdentityModel.Protocols.SignedHttpRequest to later create and sign the envelope.

Creates a configuration using the default key management - an RSA key will be created in memory and rotated every 8h. Uses HttpMethod, HttpHost etc. to control which elements of the request should be included in the POP token.

Creates a configuration using the default key management, and which binds all the details of the HttpRequestMessage.

Creates a configuration using the default key management, and which binds only the Uri part of the HTTP request.