Allow a default ITokenRequestCustomizer to be registered

This is useful to ensure that a single TokenRequestCustomizer can be
used for various paths such as ITokenRetrievers as well as the
HttpContextExtensions.

Author: pgermishuys

access-token-management/src/AccessTokenManagement.OpenIdConnect/HttpContextExtensions.cs

@@ -28,8 +28,17 @@ public static async Task<TokenResult<UserToken>> GetUserAccessTokenAsync(
         CT ct = default)
     {
         var service = httpContext.RequestServices.GetRequiredService<IUserTokenManager>();
+        var requestParameters = parameters ?? new UserTokenRequestParameters();
+        var tokenRequestCustomizer = httpContext.RequestServices.GetService<ITokenRequestCustomizer?>();
+        if (tokenRequestCustomizer is not null)
+        {
+            var httpRequestContext = httpContext.Request.ToHttpRequestContext();
+            requestParameters =
+                await tokenRequestCustomizer.Customize(httpRequestContext, requestParameters, ct) as
+                    UserTokenRequestParameters;
+        }
 
-        return await service.GetAccessTokenAsync(httpContext.User, parameters, ct).ConfigureAwait(false);
+        return await service.GetAccessTokenAsync(httpContext.User, requestParameters, ct).ConfigureAwait(false);
     }
 
     /// <summary>
@@ -45,8 +54,17 @@ public static async Task RevokeRefreshTokenAsync(
         CT ct = default)
     {
         var service = httpContext.RequestServices.GetRequiredService<IUserTokenManager>();
+        var requestParameters = parameters ?? new UserTokenRequestParameters();
+        var tokenRequestCustomizer = httpContext.RequestServices.GetService<ITokenRequestCustomizer?>();
+        if (tokenRequestCustomizer is not null)
+        {
+            var httpRequestContext = httpContext.Request.ToHttpRequestContext();
+            requestParameters =
+                await tokenRequestCustomizer.Customize(httpRequestContext, requestParameters, ct) as
+                    UserTokenRequestParameters;
+        }
 
-        await service.RevokeRefreshTokenAsync(httpContext.User, parameters, ct).ConfigureAwait(false);
+        await service.RevokeRefreshTokenAsync(httpContext.User, requestParameters, ct).ConfigureAwait(false);
     }
 
     /// <summary>
@@ -72,20 +90,34 @@ public static async Task<TokenResult<ClientCredentialsToken>> GetClientAccessTok
             var defaultScheme = await schemes.GetDefaultChallengeSchemeAsync().ConfigureAwait(false);
             if (defaultScheme == null)
             {
-                throw new InvalidOperationException("Cannot retrieve client access token. No scheme was provided and default challenge scheme was not set.");
+                throw new InvalidOperationException(
+                    "Cannot retrieve client access token. No scheme was provided and default challenge scheme was not set.");
             }
 
             schemeName = Scheme.Parse(defaultScheme.Name);
         }
 
+        var requestParameters = parameters ?? new UserTokenRequestParameters();
+        var tokenRequestCustomizer = httpContext.RequestServices.GetService<ITokenRequestCustomizer?>();
+        if (tokenRequestCustomizer is not null)
+        {
+            var httpRequestContext = httpContext.Request.ToHttpRequestContext();
+            requestParameters =
+                await tokenRequestCustomizer.Customize(httpRequestContext, requestParameters, ct) as
+                    UserTokenRequestParameters;
+        }
+
         return await service.GetAccessTokenAsync(
             schemeName.Value.ToClientName(),
-            parameters,
+            requestParameters,
             ct).ConfigureAwait(false);
     }
 
     const string AuthenticationPropertiesDPoPKey = ".Token.dpop_proof_key";
-    internal static void SetProofKey(this AuthenticationProperties properties, DPoPProofKey dpopProofKey) => properties.Items[AuthenticationPropertiesDPoPKey] = dpopProofKey.ToString();
+
+    internal static void SetProofKey(this AuthenticationProperties properties, DPoPProofKey dpopProofKey) =>
+        properties.Items[AuthenticationPropertiesDPoPKey] = dpopProofKey.ToString();
+
     internal static DPoPProofKey? GetProofKey(this AuthenticationProperties properties)
     {
         if (properties.Items.TryGetValue(AuthenticationPropertiesDPoPKey, out var key))
@@ -97,17 +129,22 @@ public static async Task<TokenResult<ClientCredentialsToken>> GetClientAccessTok
 
             return DPoPProofKey.Parse(key);
         }
+
         return null;
     }
 
     const string HttpContextDPoPKey = "dpop_proof_key";
-    internal static void SetCodeExchangeDPoPKey(this HttpContext context, DPoPProofKey dpopProofKey) => context.Items[HttpContextDPoPKey] = dpopProofKey;
+
+    internal static void SetCodeExchangeDPoPKey(this HttpContext context, DPoPProofKey dpopProofKey) =>
+        context.Items[HttpContextDPoPKey] = dpopProofKey;
+
     internal static DPoPProofKey? GetCodeExchangeDPoPKey(this HttpContext context)
     {
         if (context.Items.TryGetValue(HttpContextDPoPKey, out var item))
         {
             return item as DPoPProofKey?;
         }
+
         return null;
     }
 }

access-token-management/src/AccessTokenManagement.OpenIdConnect/HttpRequestContextExtensions.cs

@@ -0,0 +1,18 @@
+// Copyright (c) Duende Software. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Extensions;
+
+namespace Duende.AccessTokenManagement.OpenIdConnect;
+
+internal static class HttpRequestContextExtensions
+{
+    public static HttpRequestContext ToHttpRequestContext(this HttpRequest request) =>
+        new()
+        {
+            Method = request.Method,
+            RequestUri = new Uri(request.GetEncodedUrl()),
+            Headers = request.Headers.Select(h => new KeyValuePair<string, IEnumerable<string>>(h.Key, h.Value))
+        };
+}

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectClientAccessTokenRetriever.cs

@@ -34,7 +34,7 @@ internal class OpenIdConnectClientAccessTokenRetriever(
         };
 
         var customizedParameters = customizer != null
-            ? await customizer.Customize(request, baseParameters, ct)
+            ? await customizer.Customize(request.ToHttpRequestContext(), baseParameters, ct)
             : baseParameters;
 
         var userTokenRequestParameters = baseParameters with

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectUserAccessTokenRetriever.cs

@@ -29,7 +29,7 @@ internal class OpenIdConnectUserAccessTokenRetriever(
         };
 
         var customizedParameters = customizer != null
-            ? await customizer.Customize(request, baseParameters, ct)
+            ? await customizer.Customize(request.ToHttpRequestContext(), baseParameters, ct)
             : baseParameters;
 
         var parameters = baseParameters with

access-token-management/src/AccessTokenManagement/HttpRequestContext.cs

@@ -0,0 +1,14 @@
+// Copyright (c) Duende Software. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+namespace Duende.AccessTokenManagement;
+
+/// <summary>
+/// Represents a slim version of an HTTP request
+/// </summary>
+public record struct HttpRequestContext
+{
+    public required string Method { get; init; }
+    public required Uri? RequestUri { get; init; }
+    public required IEnumerable<KeyValuePair<string, IEnumerable<string>>> Headers { get; init; }
+}

access-token-management/src/AccessTokenManagement/HttpRequestContextExtensions.cs

@@ -0,0 +1,15 @@
+// Copyright (c) Duende Software. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+namespace Duende.AccessTokenManagement;
+
+internal static class HttpRequestContextExtensions
+{
+    public static HttpRequestContext ToHttpRequestContext(this HttpRequestMessage request) =>
+        new()
+        {
+            Method = request.Method.Method,
+            RequestUri = request.RequestUri,
+            Headers = request.Headers
+        };
+}

access-token-management/src/AccessTokenManagement/ITokenRequestCustomizer.cs

@@ -16,7 +16,7 @@ public interface ITokenRequestCustomizer
     /// <param name="cancellationToken">Cancellation token</param>
     /// <returns>Customized token request parameters</returns>
     Task<TokenRequestParameters> Customize(
-        HttpRequestMessage httpRequest,
+        HttpRequestContext httpRequest,
         TokenRequestParameters baseParameters,
         CancellationToken cancellationToken = default);
 }

access-token-management/src/AccessTokenManagement/Internal/ClientCredentialsTokenRetriever.cs

@@ -5,7 +5,6 @@
 
 namespace Duende.AccessTokenManagement.Internal;
 
-
 /// <summary>
 /// An <see cref="AccessTokenRequestHandler.ITokenRetriever" /> implementation that retrieves a token using the client credentials flow.
 /// </summary>
@@ -24,7 +23,7 @@ internal class ClientCredentialsTokenRetriever(
         };
 
         var parameters = customizer != null
-            ? await customizer.Customize(request, baseParameters, ct)
+            ? await customizer.Customize(request.ToHttpRequestContext(), baseParameters, ct)
             : baseParameters;
 
         var getTokenResult = await clientCredentialsTokenManager.GetAccessTokenAsync(clientName, parameters, ct);

access-token-management/test/AccessTokenManagement.Tests/Framework/AppHost.cs

@@ -165,10 +165,10 @@ await context.ChallengeAsync(new AuthenticationProperties
                 await context.Response.WriteAsJsonAsync(getResult.FailedResult);
             });
 
-            endpoints.MapGet("/call_api", async (IHttpClientFactory factory, HttpContext _) =>
+            endpoints.MapGet("/call_api", async (IHttpClientFactory factory, HttpContext context) =>
             {
                 var http = factory.CreateClient("callApi");
-                var response = await http.GetAsync("test");
+                var response = await http.GetAsync("test" + context.Request.QueryString);
                 return await response.Content.ReadFromJsonAsync<TokenEchoResponse>();
             });
 

access-token-management/test/AccessTokenManagement.Tests/Framework/IdentityServerHost.cs

@@ -40,6 +40,7 @@ public IdentityServerHost(WriteTestOutput writeTestOutput, string baseAddress =
     ];
 
     public List<Dictionary<string, string>> CapturedTokenRequests { get; } = [];
+    public List<Dictionary<string, string>> CapturedRevocationRequests { get; } = [];
 
     private void ConfigureServices(IServiceCollection services)
     {
@@ -80,6 +81,14 @@ private void Configure(IApplicationBuilder app)
                     kvp => kvp.Value.ToString());
                 CapturedTokenRequests.Add(capturedData);
             }
+            else if (ctx.Request.Path == "/connect/revocation" && ctx.Request.Method == "POST")
+            {
+                var form = await ctx.Request.ReadFormAsync();
+                var capturedData = form.ToDictionary(
+                    kvp => kvp.Key,
+                    kvp => kvp.Value.ToString());
+                CapturedRevocationRequests.Add(capturedData);
+            }
 
             await next();
         });