Fix stale ClientAssertion on DPoP nonce retry and missing assertion in OIDC code exchange

When DPoP nonce negotiation triggers a token request retry, regenerate
the client assertion (private_key_jwt) so servers enforcing unique jti
claims accept the retry. Also inject IClientAssertionService into the
OIDC code-exchange flow so assertions are sent automatically without
requiring manual PostConfigure workarounds.

Five fix sites across two libraries:

1. ClientCredentialsTokenClient — re-invoke GetClientAssertionAsync
   before DPoP nonce retry (access-token-management)
2. OpenIdConnectUserTokenEndpoint — same pattern for refresh path
3. ConfigureOpenIdConnectOptions — inject IClientAssertionService, fix
   async bugs in CreateCallback, add assertion to OnAuthorizationCodeReceived
4. AuthorizationServerDPoPHandler — accept optional IClientAssertionService,
   rebuild form body with fresh assertion on nonce retry
5. ProofTokenMessageHandler — add optional ClientAssertionFactory callback,
   rebuild form body on nonce retry (identity-model-oidc-client)

OidcClientExtensions.ConfigureDPoP() wires GetClientAssertionAsync to the
token-endpoint handler's ClientAssertionFactory automatically.

Backward compatible: NoOpClientAssertionService returns null, all new
code paths null-check and skip. Static parameters.Assertion path is
intentionally left unchanged.

Closes #1392, closes #1393

Author: Erwinvandervalk

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/AuthorizationServerDPoPHandler.cs

@@ -6,6 +6,7 @@
 using Duende.AccessTokenManagement.Internal;
 
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 
 namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
@@ -35,7 +36,9 @@ internal class AuthorizationServerDPoPHandler(
     IDPoPProofService dPoPProofService,
     IDPoPNonceStore dPoPNonceStore,
     IHttpContextAccessor httpContextAccessor,
-    ILoggerFactory loggerFactory) : DelegatingHandler
+    ILoggerFactory loggerFactory,
+    IClientAssertionService? clientAssertionService = null,
+    ClientCredentialsClientName? clientName = null) : DelegatingHandler
 {
     // We depend on the logger factory, rather than the logger itself, since
     // the type parameter of the logger (referencing this class) will not
@@ -87,6 +90,26 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 _logger.DPoPErrorDuringTokenRefreshWillRetryWithServerNonce(LogLevel.Debug, response.GetDPoPError());
                 response.Dispose();
                 await SetDPoPProofTokenForCodeExchangeAsync(request, dPoPNonce, codeExchangeJwk).ConfigureAwait(false);
+
+                // Regenerate the client assertion to ensure a fresh jti on retry.
+                if (clientAssertionService != null && clientName != null)
+                {
+                    var freshAssertion = await clientAssertionService
+                        .GetClientAssertionAsync(clientName.Value, ct: ct)
+                        .ConfigureAwait(false);
+
+                    if (freshAssertion != null && request.Content != null)
+                    {
+                        var bodyString = await request.Content.ReadAsStringAsync(ct).ConfigureAwait(false);
+                        var formData = QueryHelpers.ParseQuery(bodyString);
+                        formData[Duende.IdentityModel.OidcConstants.TokenRequest.ClientAssertionType] = freshAssertion.Type;
+                        formData[Duende.IdentityModel.OidcConstants.TokenRequest.ClientAssertion] = freshAssertion.Value;
+                        request.Content = new FormUrlEncodedContent(
+                            formData.SelectMany(kvp => kvp.Value.Select(v =>
+                                new KeyValuePair<string, string>(kvp.Key, v ?? string.Empty))));
+                    }
+                }
+
                 return await base.SendAsync(request, ct).ConfigureAwait(false);
             }
         }

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/ConfigureOpenIdConnectOptions.cs

@@ -22,6 +22,7 @@ internal class ConfigureOpenIdConnectOptions(
     IHttpContextAccessor httpContextAccessor,
     IOptions<UserTokenManagementOptions> userAccessTokenManagementOptions,
     IAuthenticationSchemeProvider schemeProvider,
+    IClientAssertionService clientAssertionService,
     ILoggerFactory loggerFactory) : IConfigureNamedOptions<OpenIdConnectOptions>
 {
     private readonly Scheme _configScheme = GetConfigScheme(userAccessTokenManagementOptions.Value, schemeProvider);
@@ -59,7 +60,7 @@ public void Configure(string? name, OpenIdConnectOptions options)
             options.Events.OnAuthorizationCodeReceived = CreateCallback(options.Events.OnAuthorizationCodeReceived);
             options.Events.OnTokenValidated = CreateCallback(options.Events.OnTokenValidated);
 
-            options.BackchannelHttpHandler = new AuthorizationServerDPoPHandler(dPoPProofService, dPoPNonceStore, httpContextAccessor, loggerFactory)
+            options.BackchannelHttpHandler = new AuthorizationServerDPoPHandler(dPoPProofService, dPoPNonceStore, httpContextAccessor, loggerFactory, clientAssertionService, ClientName)
             {
                 InnerHandler = options.BackchannelHttpHandler ?? new HttpClientHandler()
             };
@@ -104,9 +105,9 @@ async Task Callback(RedirectContext context)
 
     private Func<AuthorizationCodeReceivedContext, Task> CreateCallback(Func<AuthorizationCodeReceivedContext, Task> inner)
     {
-        Task Callback(AuthorizationCodeReceivedContext context)
+        async Task Callback(AuthorizationCodeReceivedContext context)
         {
-            var result = inner.Invoke(context);
+            await inner.Invoke(context);
 
             // get key from storage
             var jwk = context.Properties?.GetProofKey();
@@ -116,17 +117,26 @@ Task Callback(AuthorizationCodeReceivedContext context)
                 context.HttpContext.SetCodeExchangeDPoPKey(jwk.Value);
             }
 
-            return result;
+            // Automatically send client assertion during code exchange if a service is registered
+            var assertion = await clientAssertionService
+                .GetClientAssertionAsync(ClientName, ct: context.HttpContext.RequestAborted)
+                .ConfigureAwait(false);
+
+            if (assertion != null)
+            {
+                context.TokenEndpointRequest!.ClientAssertionType = assertion.Type;
+                context.TokenEndpointRequest.ClientAssertion = assertion.Value;
+            }
         }
 
         return Callback;
     }
 
     private Func<TokenValidatedContext, Task> CreateCallback(Func<TokenValidatedContext, Task> inner)
     {
-        Task Callback(TokenValidatedContext context)
+        async Task Callback(TokenValidatedContext context)
         {
-            var result = inner.Invoke(context);
+            await inner.Invoke(context);
 
             // TODO: we don't have a good approach for this right now, since the IUserTokenStore
             // just assumes that the session management has been populated with all the token values
@@ -139,8 +149,6 @@ Task Callback(TokenValidatedContext context)
             //    // and defer to the host and/or IUserTokenStore implementation to decide where the key is kept
             //    //context.Properties!.RemoveProofKey();
             //}
-
-            return result;
         }
 
         return Callback;

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectUserTokenEndpoint.cs

@@ -120,6 +120,24 @@ public async Task<TokenResult<UserToken>> RefreshAccessTokenAsync(
 
             request.DPoPProofToken = proof;
 
+            // Regenerate the client assertion to ensure a fresh jti on retry.
+            // Only apply when using the service-based assertion path (not the static Assertion parameter).
+            if (parameters.Assertion == null)
+            {
+                var freshAssertion = await clientAssertionService
+                    .GetClientAssertionAsync(
+                        clientName: oidc.Scheme.ToClientName(),
+                        parameters,
+                        ct)
+                    .ConfigureAwait(false);
+
+                if (freshAssertion != null)
+                {
+                    request.ClientAssertion = freshAssertion;
+                    request.ClientCredentialStyle = ClientCredentialStyle.PostBody;
+                }
+            }
+
             if (request.DPoPProofToken != null)
             {
                 metrics.DPoPNonceErrorRetry(ClientId.Parse(request.ClientId), response.Error);

access-token-management/src/AccessTokenManagement/Internal/ClientCredentialsTokenClient.cs

@@ -127,6 +127,19 @@ public virtual async Task<TokenResult<ClientCredentialsToken>> RequestAccessToke
                 dPoPNonce: DPoPNonce.Parse(response.DPoPNonce),
                 ct: ct);
 
+            // Regenerate the client assertion to ensure a fresh jti on retry.
+            // Only apply when using the service-based assertion path (not the static Assertion parameter).
+            if (parameters.Assertion == null)
+            {
+                var freshAssertion = await clientAssertionService.GetClientAssertionAsync(clientName, parameters, ct: ct)
+                    .ConfigureAwait(false);
+                if (freshAssertion != null)
+                {
+                    request.ClientAssertion = freshAssertion;
+                    request.ClientCredentialStyle = ClientCredentialStyle.PostBody;
+                }
+            }
+
             if (request.DPoPProofToken != null)
             {
                 response = await httpClient.RequestClientCredentialsTokenAsync(request, ct).ConfigureAwait(false);

access-token-management/test/AccessTokenManagement.Tests/ClientTokenManagementTests.cs

@@ -602,4 +602,94 @@ public async Task Cache_auto_tuning_should_persist_across_transient_manager_inst
         secondRequestExpiration.ShouldBe(expectedExpiration,
             "Second request should use the auto-tuned cache duration learned from the first request");
     }
+
+    [Fact]
+    public async Task dpop_nonce_retry_should_use_fresh_client_assertion()
+    {
+        // Arrange: assertion service that returns incrementing assertion values
+        var callCount = 0;
+        var capturedAssertions = new List<string>();
+        _services.AddTransient<IClientAssertionService>(_ =>
+            new CountingClientAssertionService("test", () => $"assertion_{Interlocked.Increment(ref callCount)}"));
+
+        var proof = new TestDPoPProofService { ProofToken = "proof_token", AppendNonce = true };
+        _services.AddSingleton<IDPoPProofService>(proof);
+
+        _services.AddClientCredentialsTokenManagement()
+            .AddClient("test", client => Some.ClientCredentialsClient(
+                toConfigure: client,
+                jsonWebKey: The.JsonWebKey));
+
+        // First request: returns DPoP nonce error
+        _mockHttp.Expect(The.TokenEndpoint.ToString())
+            .With(m =>
+            {
+                var content = m.Content!.ReadAsStringAsync().Result;
+                var pairs = System.Web.HttpUtility.ParseQueryString(content);
+                var assertion = pairs["client_assertion"];
+                if (assertion != null) capturedAssertions.Add(assertion);
+                return true;
+            })
+            .Respond(HttpStatusCode.BadRequest,
+                [new KeyValuePair<string, string>("DPoP-Nonce", "some_nonce")],
+                "application/json",
+                JsonSerializer.Serialize(new { error = "use_dpop_nonce" }));
+
+        // Retry request: should succeed
+        _mockHttp.Expect(The.TokenEndpoint.ToString())
+            .With(m =>
+            {
+                var content = m.Content!.ReadAsStringAsync().Result;
+                var pairs = System.Web.HttpUtility.ParseQueryString(content);
+                var assertion = pairs["client_assertion"];
+                if (assertion != null) capturedAssertions.Add(assertion);
+                return true;
+            })
+            .Respond(_ => Some.TokenHttpResponse());
+
+        _services.AddHttpClient(ClientCredentialsTokenManagementDefaults.BackChannelHttpClientName)
+            .ConfigurePrimaryHttpMessageHandler(() => _mockHttp);
+
+        var provider = _services.BuildServiceProvider();
+        var sut = provider.GetRequiredService<IClientCredentialsTokenManager>();
+
+        // Act
+        var token = await sut.GetAccessTokenAsync(ClientCredentialsClientName.Parse("test"), ct: _ct).GetToken();
+
+        // Assert
+        _mockHttp.VerifyNoOutstandingExpectation();
+        token.ShouldBeEquivalentTo(Some.ClientCredentialsToken() with
+        {
+            DPoPJsonWebKey = The.JsonWebKey
+        });
+
+        // CRITICAL ASSERTION: The two requests should have different client assertions
+        capturedAssertions.Count.ShouldBe(2, "Expected two token requests (initial + nonce retry)");
+        capturedAssertions[0].ShouldNotBe(capturedAssertions[1],
+            "Client assertion must be regenerated on DPoP nonce retry, not reused");
+    }
+
+    /// <summary>
+    /// A client assertion service that returns a new assertion value on each call,
+    /// useful for proving that assertions are (or are not) being refreshed.
+    /// </summary>
+    private class CountingClientAssertionService(string name, Func<string> valueFactory) : IClientAssertionService
+    {
+        public Task<ClientAssertion?> GetClientAssertionAsync(
+            ClientCredentialsClientName? clientName = null,
+            TokenRequestParameters? parameters = null,
+            CancellationToken ct = default)
+        {
+            if (clientName == name)
+            {
+                return Task.FromResult<ClientAssertion?>(new ClientAssertion
+                {
+                    Type = OidcConstants.ClientAssertionTypes.JwtBearer,
+                    Value = valueFactory()
+                });
+            }
+
+            return Task.FromResult<ClientAssertion?>(null);
+        }
+    }
 }

access-token-management/test/AccessTokenManagement.Tests/UserTokenManagementTests.cs

@@ -511,26 +511,16 @@ public async Task Can_request_user_token_using_client_assertions()
         var mockHttp = new MockHttpMessageHandler();
         AppHost.IdentityServerHttpHandler = mockHttp;
         AppHost.ClientSecret = null;
+
+        // Use the scheme-derived client name — ConfigureOpenIdConnectOptions calls
+        // IClientAssertionService.GetClientAssertionAsync with this name during code exchange.
+        var schemeClientName = OpenIdConnectTokenManagementDefaults.ClientCredentialsClientNamePrefix + "oidc";
         AppHost.OnConfigureServices += services =>
         {
             services.AddSingleton<IClientAssertionService>(
-                new TestClientAssertionService("test", "service_type", "service_value"));
-            services.PostConfigure<OpenIdConnectOptions>("oidc", options =>
-            {
-                options.Events.OnAuthorizationCodeReceived = async context =>
-                {
-                    var clientAssertionService =
-                        context.HttpContext.RequestServices.GetRequiredService<IClientAssertionService>();
-                    var assertion =
-                        await clientAssertionService.GetClientAssertionAsync(
-                            ClientCredentialsClientName.Parse("test")) ??
-                        throw new InvalidOperationException("Client assertion is null");
-
-                    context.TokenEndpointRequest!.ClientAssertionType = assertion.Type;
-                    context.TokenEndpointRequest.ClientAssertion = assertion.Value;
-                };
-            });
+                new TestClientAssertionService(schemeClientName, "service_type", "service_value"));
         };
+
         var expectedRequestFormData = new Dictionary<string, string>
         {
             { OidcConstants.TokenRequest.ClientAssertionType, "service_type" },
@@ -559,6 +549,53 @@ await clientAssertionService.GetClientAssertionAsync(
         token.AccessTokenType.ShouldBe("clientAssertionsWork");
     }
 
+    [Fact]
+    public async Task Code_exchange_sends_client_assertion_automatically_when_service_registered()
+    {
+        // This test verifies that when IClientAssertionService is registered, the assertion
+        // is automatically sent during OIDC code exchange WITHOUT any manual PostConfigure workaround.
+        // This is the fix for GitHub issue #325 / #1392.
+        var mockHttp = new MockHttpMessageHandler();
+        AppHost.IdentityServerHttpHandler = mockHttp;
+        AppHost.ClientSecret = null;
+
+        // Use the scheme-derived client name that ConfigureOpenIdConnectOptions uses internally
+        var schemeClientName = OpenIdConnectTokenManagementDefaults.ClientCredentialsClientNamePrefix + "oidc";
+        AppHost.OnConfigureServices += services =>
+        {
+            services.AddSingleton<IClientAssertionService>(
+                new TestClientAssertionService(schemeClientName, "service_type", "auto_assertion_value"));
+        };
+
+        var expectedRequestFormData = new Dictionary<string, string>
+        {
+            { OidcConstants.TokenRequest.ClientAssertionType, "service_type" },
+            { OidcConstants.TokenRequest.ClientAssertion, "auto_assertion_value" },
+        };
+        var initialTokenResponse = new
+        {
+            id_token = IdentityServerHost.CreateIdToken("1", "web"),
+            access_token = "initial_access_token",
+            token_type = "assertionAutoSent",
+            expires_in = 3600,
+            refresh_token = "initial_refresh_token",
+        };
+
+        // The code exchange request should include the client assertion automatically
+        mockHttp.When("/connect/token")
+            .WithFormData(expectedRequestFormData)
+            .Respond("application/json", JsonSerializer.Serialize(initialTokenResponse));
+
+        await InitializeAsync();
+        await AppHost.LoginAsync("alice");
+
+        var response = await AppHost.BrowserClient.GetAsync(AppHost.Url("/user_token"), _ct);
+        var token = await response.Content.ReadFromJsonAsync<UserTokenModel>(_ct);
+
+        token.ShouldNotBeNull();
+        token.AccessTokenType.ShouldBe("assertionAutoSent");
+    }
+
     [Fact]
     public async Task Refresh_token_request_should_include_additional_parameters()
     {