Refresh Client Assertion on DPOP Nonce failure

Author: pgermishuys

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/AuthorizationServerDPoPHandler.cs

@@ -4,8 +4,10 @@
 using System.Net;
 using Duende.AccessTokenManagement.DPoP;
 using Duende.AccessTokenManagement.Internal;
-
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.WebUtilities;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 
 namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
@@ -40,7 +42,8 @@ internal class AuthorizationServerDPoPHandler(
     // We depend on the logger factory, rather than the logger itself, since
     // the type parameter of the logger (referencing this class) will not
     // always be accessible.
-    private readonly ILogger<AuthorizationServerDPoPHandler> _logger = loggerFactory.CreateLogger<AuthorizationServerDPoPHandler>();
+    private readonly ILogger<AuthorizationServerDPoPHandler> _logger =
+        loggerFactory.CreateLogger<AuthorizationServerDPoPHandler>();
 
     /// <inheritdoc/>
     protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
@@ -87,6 +90,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
                 _logger.DPoPErrorDuringTokenRefreshWillRetryWithServerNonce(LogLevel.Debug, response.GetDPoPError());
                 response.Dispose();
                 await SetDPoPProofTokenForCodeExchangeAsync(request, dPoPNonce, codeExchangeJwk).ConfigureAwait(false);
+                await RefreshClientAssertionAsync(request).ConfigureAwait(false);
                 return await base.SendAsync(request, ct).ConfigureAwait(false);
             }
         }
@@ -108,10 +112,8 @@ await dPoPNonceStore.StoreNonceAsync(new DPoPNonceContext
         return response;
     }
 
-    /// <summary>
-    /// Creates a DPoP proof token and attaches it to a request.
-    /// </summary>
-    internal async Task SetDPoPProofTokenForCodeExchangeAsync(HttpRequestMessage request, DPoPNonce? dpopNonce = null, DPoPProofKey? jwk = null)
+    internal async Task SetDPoPProofTokenForCodeExchangeAsync(HttpRequestMessage request, DPoPNonce? dpopNonce = null,
+        DPoPProofKey? jwk = null)
     {
         if (jwk == null)
         {
@@ -138,4 +140,56 @@ internal async Task SetDPoPProofTokenForCodeExchangeAsync(HttpRequestMessage req
             _logger.FailedToCreateDPopProofToken(LogLevel.Debug, request.RequestUri);
         }
     }
+
+    private async Task RefreshClientAssertionAsync(HttpRequestMessage request)
+    {
+        if (request.Content == null)
+        {
+            return;
+        }
+
+        var body = await request.Content.ReadAsStringAsync().ConfigureAwait(false);
+        var fields = QueryHelpers.ParseQuery(body);
+
+        if (!fields.ContainsKey(OidcConstants.TokenRequest.ClientAssertion))
+        {
+            return;
+        }
+
+        var assertionService = httpContextAccessor.HttpContext?.RequestServices
+            .GetService<IClientAssertionService>();
+        if (assertionService == null)
+        {
+            return;
+        }
+
+        var assertion = await assertionService.GetClientAssertionAsync().ConfigureAwait(false);
+        if (assertion == null)
+        {
+            return;
+        }
+
+        var pairs = new List<KeyValuePair<string, string>>();
+        foreach (var kvp in fields)
+        {
+            var key = kvp.Key;
+            switch (key)
+            {
+                case OidcConstants.TokenRequest.ClientAssertion:
+                    pairs.Add(new KeyValuePair<string, string>(key, assertion.Value));
+                    break;
+                case OidcConstants.TokenRequest.ClientAssertionType:
+                    pairs.Add(new KeyValuePair<string, string>(key, assertion.Type));
+                    break;
+                default:
+                {
+                    pairs.AddRange(kvp.Value.Select(val => new KeyValuePair<string, string>(key, val ?? string.Empty)));
+
+                    break;
+                }
+            }
+        }
+
+        request.Content = new FormUrlEncodedContent(pairs);
+    }
 }

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/ConfigureOpenIdConnectOptions.cs

@@ -139,7 +139,6 @@ Task Callback(TokenValidatedContext context)
             //    // and defer to the host and/or IUserTokenStore implementation to decide where the key is kept
             //    //context.Properties!.RemoveProofKey();
             //}
-
             return result;
         }
 

access-token-management/test/AccessTokenManagement.Tests/DPoPWithClientAssertionsTests.cs

@@ -0,0 +1,161 @@
+// Copyright (c) Duende Software. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using System.Net.Http.Json;
+using System.Text.Json;
+using Duende.AccessTokenManagement.DPoP;
+using Duende.AccessTokenManagement.Framework;
+using Duende.IdentityModel;
+using Duende.IdentityModel.Client;
+using Duende.IdentityServer;
+using Duende.IdentityServer.Models;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+using JsonWebKey = Microsoft.IdentityModel.Tokens.JsonWebKey;
+
+namespace Duende.AccessTokenManagement;
+
+public sealed class DPoPWithClientAssertionsTests : IntegrationTestBase
+{
+    private readonly CancellationToken _ct = TestContext.Current.CancellationToken;
+
+    public DPoPWithClientAssertionsTests(ITestOutputHelper output)
+        : base(output, "dpop",
+            configureUserTokenManagementOptions: opt => { opt.DPoPJsonWebKey = DPoPProofKey.Parse(DPoPPrivateJwk); },
+            configureServicesBeforeAtm: services =>
+            {
+                services.AddSingleton<IClientAssertionService>(
+                    new JwtClientAssertionService(ClientAssertionCredentials));
+
+                services.Configure<OpenIdConnectOptions>("oidc", opt =>
+                {
+                    opt.Events.OnAuthorizationCodeReceived = async context =>
+                    {
+                        var svc = context.HttpContext.RequestServices
+                            .GetRequiredService<IClientAssertionService>();
+                        var assertion = await svc.GetClientAssertionAsync(
+                                            ClientCredentialsClientName.Parse("dpop"))
+                                        ?? throw new InvalidOperationException("Client assertion is null");
+
+                        context.TokenEndpointRequest!.ClientAssertionType = assertion.Type;
+                        context.TokenEndpointRequest.ClientAssertion = assertion.Value;
+                    };
+                });
+            })
+    {
+        AppHost.ClientSecret = null;
+
+        var dpopClient = IdentityServerHost.Clients.Single(c => c.ClientId == "dpop");
+        dpopClient.ClientSecrets.Clear();
+        dpopClient.ClientSecrets.Add(new Secret
+        {
+            Type = IdentityServerConstants.SecretTypes.JsonWebKey,
+            Value = BuildPublicJwk(ClientAssertionPrivateJwk)
+        });
+    }
+
+    [Fact]
+    public async Task LoginWithDPoPAndClientAssertionsShouldSucceed()
+    {
+        await InitializeAsync();
+
+        await AppHost.LoginAsync("alice");
+
+        var codeExchangeRequest = IdentityServerHost.CapturedTokenRequests
+            .FirstOrDefault(r => r.TryGetValue("grant_type", out var gt) && gt == "authorization_code");
+        codeExchangeRequest.ShouldNotBeNull();
+        codeExchangeRequest.ShouldContainKeyAndValue(OidcConstants.TokenRequest.ClientAssertionType,
+            OidcConstants.ClientAssertionTypes.JwtBearer);
+        codeExchangeRequest.ShouldContainKey(OidcConstants.TokenRequest.ClientAssertion);
+
+        // Verify we got a DPoP token back (confirms the DPoP proof was also accepted)
+        var response = await AppHost.BrowserClient.GetAsync(AppHost.Url("/user_token"), _ct);
+        var token = await response.Content.ReadFromJsonAsync<UserTokenModel>(_ct);
+        token.ShouldNotBeNull();
+        token.AccessTokenType.ShouldBe("DPoP");
+    }
+
+    private const string ClientAssertionPrivateJwk =
+        """
+        {
+            "d":"GmiaucNIzdvsEzGjZjd43SDToy1pz-Ph-shsOUXXh-dsYNGftITGerp8bO1iryXh_zUEo8oDK3r1y4klTonQ6bLsWw4ogjLPmL3yiqsoSjJa1G2Ymh_RY_sFZLLXAcrmpbzdWIAkgkHSZTaliL6g57vA7gxvd8L4s82wgGer_JmURI0ECbaCg98JVS0Srtf9GeTRHoX4foLWKc1Vq6NHthzqRMLZe-aRBNU9IMvXNd7kCcIbHCM3GTD_8cFj135nBPP2HOgC_ZXI1txsEf-djqJj8W5vaM7ViKU28IDv1gZGH3CatoysYx6jv1XJVvb2PH8RbFKbJmeyUm3Wvo-rgQ",
+            "dp":"YNjVBTCIwZD65WCht5ve06vnBLP_Po1NtL_4lkholmPzJ5jbLYBU8f5foNp8DVJBdFQW7wcLmx85-NC5Pl1ZeyA-Ecbw4fDraa5Z4wUKlF0LT6VV79rfOF19y8kwf6MigyrDqMLcH_CRnRGg5NfDsijlZXffINGuxg6wWzhiqqE",
+            "dq":"LfMDQbvTFNngkZjKkN2CBh5_MBG6Yrmfy4kWA8IC2HQqID5FtreiY2MTAwoDcoINfh3S5CItpuq94tlB2t-VUv8wunhbngHiB5xUprwGAAnwJ3DL39D2m43i_3YP-UO1TgZQUAOh7Jrd4foatpatTvBtY3F1DrCrUKE5Kkn770M",
+            "e":"AQAB",
+            "kid":"ZzAjSnraU3bkWGnnAqLapYGpTyNfLbjbzgAPbbW2GEA",
+            "kty":"RSA",
+            "n":"wWwQFtSzeRjjerpEM5Rmqz_DsNaZ9S1Bw6UbZkDLowuuTCjBWUax0vBMMxdy6XjEEK4Oq9lKMvx9JzjmeJf1knoqSNrox3Ka0rnxXpNAz6sATvme8p9mTXyp0cX4lF4U2J54xa2_S9NF5QWvpXvBeC4GAJx7QaSw4zrUkrc6XyaAiFnLhQEwKJCwUw4NOqIuYvYp_IXhw-5Ti_icDlZS-282PcccnBeOcX7vc21pozibIdmZJKqXNsL1Ibx5Nkx1F1jLnekJAmdaACDjYRLL_6n3W4wUp19UvzB1lGtXcJKLLkqB6YDiZNu16OSiSprfmrRXvYmvD8m6Fnl5aetgKw",
+            "p":"7enorp9Pm9XSHaCvQyENcvdU99WCPbnp8vc0KnY_0g9UdX4ZDH07JwKu6DQEwfmUA1qspC-e_KFWTl3x0-I2eJRnHjLOoLrTjrVSBRhBMGEH5PvtZTTThnIY2LReH-6EhceGvcsJ_MhNDUEZLykiH1OnKhmRuvSdhi8oiETqtPE",
+            "q":"0CBLGi_kRPLqI8yfVkpBbA9zkCAshgrWWn9hsq6a7Zl2LcLaLBRUxH0q1jWnXgeJh9o5v8sYGXwhbrmuypw7kJ0uA3OgEzSsNvX5Ay3R9sNel-3Mqm8Me5OfWWvmTEBOci8RwHstdR-7b9ZT13jk-dsZI7OlV_uBja1ny9Nz9ts",
+            "qi":"pG6J4dcUDrDndMxa-ee1yG4KjZqqyCQcmPAfqklI2LmnpRIjcK78scclvpboI3JQyg6RCEKVMwAhVtQM6cBcIO3JrHgqeYDblp5wXHjto70HVW6Z8kBruNx1AH9E8LzNvSRL-JVTFzBkJuNgzKQfD0G77tQRgJ-Ri7qu3_9o1M4"
+        }
+        """;
+
+    private const string DPoPPrivateJwk =
+        """
+        {
+            "kty":"RSA",
+            "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+            "e":"AQAB",
+            "d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q",
+            "p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs",
+            "q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk",
+            "dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
+            "dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
+            "qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
+            "alg":"RS256",
+            "kid":"2011-04-29"
+        }
+        """;
+
+    private static readonly SigningCredentials ClientAssertionCredentials =
+        new(new JsonWebKey(ClientAssertionPrivateJwk), "RS256");
+
+
+    private static string BuildPublicJwk(string privateJwk)
+    {
+        var fullKey = new JsonWebKey(privateJwk);
+        var publicKey = new JsonWebKey
+        {
+            Kty = fullKey.Kty,
+            N = fullKey.N,
+            E = fullKey.E,
+            Kid = fullKey.Kid,
+            Alg = "RS256"
+        };
+        return JsonSerializer.Serialize(publicKey);
+    }
+}
+
+internal sealed class JwtClientAssertionService(SigningCredentials credentials) : IClientAssertionService
+{
+    public Task<ClientAssertion?> GetClientAssertionAsync(
+        ClientCredentialsClientName? clientName = null,
+        TokenRequestParameters? parameters = null,
+        CancellationToken ct = default)
+    {
+        var descriptor = new SecurityTokenDescriptor
+        {
+            Issuer = "dpop",
+            Audience = "https://identityserver/connect/token",
+            Expires = DateTime.UtcNow.AddMinutes(1),
+            SigningCredentials = credentials,
+            Claims = new Dictionary<string, object>
+            {
+                { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
+                { JwtClaimTypes.Subject, "dpop" },
+                { JwtClaimTypes.IssuedAt, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
+            }
+        };
+
+        var jwt = new JsonWebTokenHandler().CreateToken(descriptor);
+
+        return Task.FromResult<ClientAssertion?>(new ClientAssertion
+        {
+            Type = OidcConstants.ClientAssertionTypes.JwtBearer,
+            Value = jwt
+        });
+    }
+}

access-token-management/test/AccessTokenManagement.Tests/Framework/AppHost.cs

@@ -22,21 +22,24 @@ public class AppHost : GenericHost
     private readonly IdentityServerHost _identityServerHost;
     private readonly ApiHost _apiHost;
     private readonly Action<UserTokenManagementOptions>? _configureUserTokenManagementOptions;
+    private readonly Action<IServiceCollection>? _configureServicesBeforeAtm;
 
     public AppHost(
         WriteTestOutput writeTestOutput,
         IdentityServerHost identityServerHost,
         ApiHost apiHost,
         string clientId,
         string baseAddress = "https://app",
-        Action<UserTokenManagementOptions>? configureUserTokenManagementOptions = null)
+        Action<UserTokenManagementOptions>? configureUserTokenManagementOptions = null,
+        Action<IServiceCollection>? configureServicesBeforeAtm = null)
         : base(writeTestOutput, baseAddress)
     {
         _identityServerHost = identityServerHost;
         _apiHost = apiHost;
         ClientId = clientId;
         ClientSecret = "secret";
         _configureUserTokenManagementOptions = configureUserTokenManagementOptions;
+        _configureServicesBeforeAtm = configureServicesBeforeAtm;
         OnConfigureServices += ConfigureServices;
         OnConfigure += Configure;
     }
@@ -106,6 +109,8 @@ private void ConfigureServices(IServiceCollection services)
                 options.ProtocolValidator.RequireNonce = false;
             });
 
+        _configureServicesBeforeAtm?.Invoke(services);
+
         services.AddOpenIdConnectAccessTokenManagement(opt =>
         {
             opt.UseChallengeSchemeScopedTokens = true;

access-token-management/test/AccessTokenManagement.Tests/Framework/IdentityServerHost.cs

@@ -66,7 +66,8 @@ private void ConfigureServices(IServiceCollection services)
             .AddInMemoryClients(Clients)
             .AddInMemoryIdentityResources(IdentityResources)
             .AddInMemoryApiResources(ApiResources)
-            .AddInMemoryApiScopes(ApiScopes);
+            .AddInMemoryApiScopes(ApiScopes)
+            .AddJwtBearerClientAuthentication();
     }
 
     private void Configure(IApplicationBuilder app)

access-token-management/test/AccessTokenManagement.Tests/Framework/IntegrationTestBase.cs

@@ -4,6 +4,7 @@
 using Duende.AccessTokenManagement.OpenIdConnect;
 using Duende.IdentityModel;
 using Duende.IdentityServer.Models;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace Duende.AccessTokenManagement.Framework;
 
@@ -16,7 +17,11 @@ public abstract class IntegrationTestBase : IAsyncDisposable
     protected readonly ApiHost ApiHost;
     protected readonly AppHost AppHost;
 
-    protected IntegrationTestBase(ITestOutputHelper output, string clientId = "web", Action<UserTokenManagementOptions>? configureUserTokenManagementOptions = null)
+    protected IntegrationTestBase(
+        ITestOutputHelper output,
+        string clientId = "web",
+        Action<UserTokenManagementOptions>? configureUserTokenManagementOptions = null,
+        Action<IServiceCollection>? configureServicesBeforeAtm = null)
     {
         IdentityServerHost = new IdentityServerHost(output.WriteLine);
 
@@ -70,7 +75,7 @@ protected IntegrationTestBase(ITestOutputHelper output, string clientId = "web",
         });
 
         ApiHost = new ApiHost(output.WriteLine, IdentityServerHost, ["scope1", "scope2"]);
-        AppHost = new AppHost(output.WriteLine, IdentityServerHost, ApiHost, clientId, configureUserTokenManagementOptions: configureUserTokenManagementOptions);
+        AppHost = new AppHost(output.WriteLine, IdentityServerHost, ApiHost, clientId, configureUserTokenManagementOptions: configureUserTokenManagementOptions, configureServicesBeforeAtm: configureServicesBeforeAtm);
     }
 
     public virtual async ValueTask DisposeAsync()

access-token-management/test/AccessTokenManagement.Tests/UserTokenManagementWithDPoPTests.cs

@@ -39,7 +39,7 @@ public async Task dpop_token_refresh_should_succeed()
         // The DPoP proof token is valid for 1 second, and that validity is checked with the server nonce.
         // We have to wait 2 seconds to make sure our previous (from the initial login) nonce is no longer
         // valid. Ideally we would verify that we actually retried, but in this test we aren't mocking
-        // the http client so there isn't an obvious way to do that. However, the next test 
+        // the http client so there isn't an obvious way to do that. However, the next test
         // (dpop_nonce_is_respected_during_code_exchange) does exactly that.
         await Task.Delay(2000, _ct);
 
@@ -57,7 +57,7 @@ public async Task dpop_nonce_is_respected_during_code_exchange()
         var mockHttp = new MockHttpMessageHandler(BackendDefinitionBehavior.Always);
         AppHost.IdentityServerHttpHandler = mockHttp;
 
-        // Initial login request 
+        // Initial login request
         var initialTokenResponse = new
         {
             id_token = IdentityServerHost.CreateIdToken("1", "dpop"),