make sure the client assertion is also sent on par request

Author: Erwinvandervalk

access-token-management/samples/WebClientAssertions/Controllers/HomeController.cs

@@ -24,18 +24,6 @@ public class HomeController(IHttpClientFactory httpClientFactory, IUserTokenMana
     [AllowAnonymous]
     public IActionResult Login() => Challenge(new AuthenticationProperties { RedirectUri = "/" });
 
-    public async Task<IActionResult> CallApiAsUserManual()
-    {
-        var token = await tokenManager.GetAccessTokenAsync(User).GetToken();
-        var client = httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken.ToString()!);
-
-        var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/dpop/test");
-        ViewBag.Json = PrettyPrint(response);
-
-        return View("CallApi");
-    }
-
     public async Task<IActionResult> CallApiAsUserFactory()
     {
         var client = httpClientFactory.CreateClient("user_client");

access-token-management/samples/WebClientAssertions/Views/Home/Index.cshtml

@@ -12,8 +12,6 @@
 {
     <h3>Call API as User (DPoP + JWT assertion)</h3>
 
-    <a asp-controller="Home" asp-action="CallApiAsUserManual">Manual</a>
-    @("|")
     <a asp-controller="Home" asp-action="CallApiAsUserFactory">HTTP client factory</a>
     @("|")
     <a asp-controller="Home" asp-action="CallApiAsUserFactoryTyped">HTTP client factory (typed)</a>

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/ConfigureOpenIdConnectOptions.cs

@@ -59,6 +59,7 @@ public void Configure(string? name, OpenIdConnectOptions options)
             options.Events.OnRedirectToIdentityProvider = CreateCallback(options.Events.OnRedirectToIdentityProvider);
             options.Events.OnAuthorizationCodeReceived = CreateCallback(options.Events.OnAuthorizationCodeReceived);
             options.Events.OnTokenValidated = CreateCallback(options.Events.OnTokenValidated);
+            options.Events.OnPushAuthorization = CreateCallback(options.Events.OnPushAuthorization);
 
             options.BackchannelHttpHandler = new AuthorizationServerDPoPHandler(dPoPProofService, dPoPNonceStore, httpContextAccessor, loggerFactory)
             {
@@ -153,4 +154,26 @@ async Task Callback(TokenValidatedContext context)
 
         return Callback;
     }
+
+    private Func<PushedAuthorizationContext, Task> CreateCallback(Func<PushedAuthorizationContext, Task> inner)
+    {
+        async Task Callback(PushedAuthorizationContext context)
+        {
+            await inner.Invoke(context);
+
+            // --- Client assertion ---
+            var assertion = await clientAssertionService
+                .GetClientAssertionAsync(ClientName, ct: context.HttpContext.RequestAborted)
+                .ConfigureAwait(false);
+
+            if (assertion != null)
+            {
+                context.ProtocolMessage.ClientAssertionType = assertion.Type;
+                context.ProtocolMessage.ClientAssertion = assertion.Value;
+                context.HandleClientAuthentication();
+            }
+        }
+
+        return Callback;
+    }
 }

access-token-management/test/AccessTokenManagement.Tests/Framework/AppHost.cs

@@ -13,6 +13,7 @@
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.IdentityModel.Tokens;
 using RichardSzalay.MockHttp;
+using PushedAuthorizationBehavior = Microsoft.AspNetCore.Authentication.OpenIdConnect.PushedAuthorizationBehavior;
 
 namespace Duende.AccessTokenManagement.Framework;
 
@@ -21,6 +22,7 @@ public class AppHost : GenericHost
     public string ClientId;
     public string? ClientSecret;
     public SigningCredentials? ClientAssertionSigningCredentials { get; set; }
+    public PushedAuthorizationBehavior PushedAuthorizationBehavior { get; set; } = PushedAuthorizationBehavior.Disable;
 
     private readonly IdentityServerHost _identityServerHost;
     private readonly ApiHost _apiHost;
@@ -107,27 +109,13 @@ private void ConfigureServices(IServiceCollection services)
                 }
 
                 options.ProtocolValidator.RequireNonce = false;
+                options.PushedAuthorizationBehavior = PushedAuthorizationBehavior;
             });
 
         if (ClientAssertionSigningCredentials is { } assertionCredentials)
         {
             services.AddSingleton<IClientAssertionService>(
                 new JwtClientAssertionService(ClientId, assertionCredentials));
-
-            services.Configure<OpenIdConnectOptions>("oidc", opt =>
-            {
-                opt.Events.OnAuthorizationCodeReceived = async context =>
-                {
-                    var svc = context.HttpContext.RequestServices
-                        .GetRequiredService<IClientAssertionService>();
-                    var assertion = await svc.GetClientAssertionAsync(
-                        ClientCredentialsClientName.Parse(ClientId))
-                        ?? throw new InvalidOperationException("Client assertion is null");
-
-                    context.TokenEndpointRequest!.ClientAssertionType = assertion.Type;
-                    context.TokenEndpointRequest.ClientAssertion = assertion.Value;
-                };
-            });
         }
 
         services.AddOpenIdConnectAccessTokenManagement(opt =>

access-token-management/test/AccessTokenManagement.Tests/Framework/IdentityServerHost.cs

@@ -24,6 +24,8 @@ public IdentityServerHost(WriteTestOutput writeTestOutput, string baseAddress =
 
     public List<Client> Clients { get; } = [];
 
+    public bool EnablePar { get; set; }
+
     public List<IdentityResource> IdentityResources { get; } =
     [
         new IdentityResources.OpenId(),
@@ -41,6 +43,7 @@ public IdentityServerHost(WriteTestOutput writeTestOutput, string baseAddress =
 
     public List<Dictionary<string, string>> CapturedTokenRequests { get; } = [];
     public List<Dictionary<string, string>> CapturedRevocationRequests { get; } = [];
+    public List<Dictionary<string, string>> CapturedParRequests { get; } = [];
 
     private void ConfigureServices(IServiceCollection services)
     {
@@ -61,7 +64,7 @@ private void ConfigureServices(IServiceCollection services)
                 options.DPoP.ProofTokenValidityDuration = TimeSpan.FromSeconds(1);
 
                 // Disable PAR (this keeps test setup simple, and we don't need to integration test PAR here - it is covered by IdentityServer itself)
-                options.Endpoints.EnablePushedAuthorizationEndpoint = false;
+                options.Endpoints.EnablePushedAuthorizationEndpoint = EnablePar;
             })
             .AddInMemoryClients(Clients)
             .AddInMemoryIdentityResources(IdentityResources)
@@ -90,6 +93,14 @@ private void Configure(IApplicationBuilder app)
                     kvp => kvp.Value.ToString());
                 CapturedRevocationRequests.Add(capturedData);
             }
+            else if (ctx.Request.Path == "/connect/par" && ctx.Request.Method == "POST")
+            {
+                var form = await ctx.Request.ReadFormAsync();
+                var capturedData = form.ToDictionary(
+                    kvp => kvp.Key,
+                    kvp => kvp.Value.ToString());
+                CapturedParRequests.Add(capturedData);
+            }
 
             await next();
         });

access-token-management/test/AccessTokenManagement.Tests/Framework/IntegrationTestBase.cs

@@ -97,6 +97,49 @@ protected IntegrationTestBase(
             AccessTokenLifetime = 10
         });
 
+        IdentityServerHost.Clients.Add(new Client
+        {
+            ClientId = "par-assertion",
+            ClientSecrets =
+            {
+                new Secret
+                {
+                    Type = IdentityServerConstants.SecretTypes.JsonWebKey,
+                    Value = BuildPublicJwk(ClientAssertionPrivateJwk)
+                }
+            },
+            AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
+            RedirectUris = { "https://app/signin-oidc" },
+            PostLogoutRedirectUris = { "https://app/signout-callback-oidc" },
+            AllowOfflineAccess = true,
+            AllowedScopes = { "openid", "profile", "scope1", "scope2" },
+            RequirePushedAuthorization = true,
+            AccessTokenLifetime = 10
+        });
+
+        IdentityServerHost.Clients.Add(new Client
+        {
+            ClientId = "par-dpop-assertion",
+            ClientSecrets =
+            {
+                new Secret
+                {
+                    Type = IdentityServerConstants.SecretTypes.JsonWebKey,
+                    Value = BuildPublicJwk(ClientAssertionPrivateJwk)
+                }
+            },
+            AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
+            RedirectUris = { "https://app/signin-oidc" },
+            PostLogoutRedirectUris = { "https://app/signout-callback-oidc" },
+            AllowOfflineAccess = true,
+            AllowedScopes = { "openid", "profile", "scope1", "scope2" },
+            RequirePushedAuthorization = true,
+            RequireDPoP = true,
+            DPoPValidationMode = DPoPTokenExpirationValidationMode.Nonce,
+            DPoPClockSkew = TimeSpan.FromMilliseconds(10),
+            AccessTokenLifetime = 10
+        });
+
         ApiHost = new ApiHost(output.WriteLine, IdentityServerHost, ["scope1", "scope2"]);
         AppHost = new AppHost(output.WriteLine, IdentityServerHost, ApiHost, clientId, configureUserTokenManagementOptions: configureUserTokenManagementOptions);
     }

access-token-management/test/AccessTokenManagement.Tests/PARWithClientAssertionsTests.cs

@@ -0,0 +1,175 @@
+// Copyright (c) Duende Software. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using System.Net.Http.Json;
+using Duende.AccessTokenManagement.DPoP;
+using Duende.AccessTokenManagement.Framework;
+using Duende.IdentityModel;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.IdentityModel.Tokens;
+using JsonWebKey = Microsoft.IdentityModel.Tokens.JsonWebKey;
+
+namespace Duende.AccessTokenManagement;
+
+/// <summary>
+/// Tests that client assertions are sent on Pushed Authorization Requests (PAR).
+/// </summary>
+public sealed class PARWithClientAssertionsTests : IntegrationTestBase
+{
+    private readonly CancellationToken _ct = TestContext.Current.CancellationToken;
+
+    public PARWithClientAssertionsTests(ITestOutputHelper output)
+        : base(output, "par-assertion")
+    {
+        IdentityServerHost.EnablePar = true;
+        AppHost.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Require;
+        AppHost.ClientAssertionSigningCredentials =
+            new SigningCredentials(new JsonWebKey(ClientAssertionPrivateJwk), "RS256");
+    }
+
+    [Fact]
+    public async Task LoginWithPARAndClientAssertionsShouldSucceed()
+    {
+        await InitializeAsync();
+
+        await AppHost.LoginAsync("alice");
+
+        // Verify PAR request contained client assertion
+        var parRequest = IdentityServerHost.CapturedParRequests
+            .FirstOrDefault();
+        parRequest.ShouldNotBeNull("Expected a PAR request to be captured");
+        parRequest.ShouldContainKeyAndValue(OidcConstants.TokenRequest.ClientAssertionType,
+            OidcConstants.ClientAssertionTypes.JwtBearer);
+        parRequest.ShouldContainKey(OidcConstants.TokenRequest.ClientAssertion);
+
+        // Verify token exchange also used client assertion
+        var codeExchangeRequest = IdentityServerHost.CapturedTokenRequests
+            .FirstOrDefault(r => r.TryGetValue("grant_type", out var gt) && gt == "authorization_code");
+        codeExchangeRequest.ShouldNotBeNull();
+        codeExchangeRequest.ShouldContainKeyAndValue(OidcConstants.TokenRequest.ClientAssertionType,
+            OidcConstants.ClientAssertionTypes.JwtBearer);
+        codeExchangeRequest.ShouldContainKey(OidcConstants.TokenRequest.ClientAssertion);
+    }
+
+    [Fact]
+    public async Task RefreshWithPARAndClientAssertionsShouldSucceed()
+    {
+        await InitializeAsync();
+        await AppHost.LoginAsync("alice");
+
+        // This forces a refresh (token lifetime is 10s, within RefreshBeforeExpiration window)
+        var response = await AppHost.BrowserClient.GetAsync(AppHost.Url("/user_token"), _ct);
+        var token = await response.Content.ReadFromJsonAsync<UserTokenModel>(_ct);
+        token.ShouldNotBeNull();
+
+        // Verify refresh token request used client assertions
+        var refreshRequests = IdentityServerHost.CapturedTokenRequests
+            .Where(r => r.TryGetValue("grant_type", out var gt) && gt == "refresh_token")
+            .ToList();
+        refreshRequests.ShouldNotBeEmpty();
+        foreach (var req in refreshRequests)
+        {
+            req.ShouldContainKeyAndValue(OidcConstants.TokenRequest.ClientAssertionType,
+                OidcConstants.ClientAssertionTypes.JwtBearer);
+            req.ShouldContainKey(OidcConstants.TokenRequest.ClientAssertion);
+        }
+    }
+}
+
+/// <summary>
+/// Tests that both client assertions AND DPoP thumbprint are sent on PAR requests.
+/// </summary>
+public sealed class PARWithDPoPAndClientAssertionsTests : IntegrationTestBase
+{
+    private readonly CancellationToken _ct = TestContext.Current.CancellationToken;
+
+    public PARWithDPoPAndClientAssertionsTests(ITestOutputHelper output)
+        : base(output, "par-dpop-assertion",
+            configureUserTokenManagementOptions: opt => { opt.DPoPJsonWebKey = DPoPProofKey.Parse(DPoPPrivateJwk); })
+    {
+        IdentityServerHost.EnablePar = true;
+        AppHost.PushedAuthorizationBehavior = PushedAuthorizationBehavior.Require;
+        AppHost.ClientAssertionSigningCredentials =
+            new SigningCredentials(new JsonWebKey(ClientAssertionPrivateJwk), "RS256");
+    }
+
+    [Fact]
+    public async Task LoginWithPARDPoPAndClientAssertionsShouldSucceed()
+    {
+        await InitializeAsync();
+
+        await AppHost.LoginAsync("alice");
+
+        // Verify PAR request contained client assertion AND DPoP thumbprint
+        var parRequest = IdentityServerHost.CapturedParRequests
+            .FirstOrDefault();
+        parRequest.ShouldNotBeNull("Expected a PAR request to be captured");
+        parRequest.ShouldContainKeyAndValue(OidcConstants.TokenRequest.ClientAssertionType,
+            OidcConstants.ClientAssertionTypes.JwtBearer);
+        parRequest.ShouldContainKey(OidcConstants.TokenRequest.ClientAssertion);
+        parRequest.ShouldContainKey(OidcConstants.AuthorizeRequest.DPoPKeyThumbprint);
+
+        // Verify we got a DPoP token back
+        var response = await AppHost.BrowserClient.GetAsync(AppHost.Url("/user_token"), _ct);
+        var token = await response.Content.ReadFromJsonAsync<UserTokenModel>(_ct);
+        token.ShouldNotBeNull();
+        token.AccessTokenType.ShouldBe("DPoP");
+    }
+
+    [Fact]
+    public async Task RefreshWithPARDPoPAndClientAssertionsShouldSucceed()
+    {
+        // Use always-null nonce store so the server always issues a nonce challenge,
+        // guaranteeing the DPoP nonce retry deterministically (no wall-clock dependency).
+        AppHost.OnConfigureServices += services =>
+            services.AddSingleton<IDPoPNonceStore>(new TestDPoPNonceStore());
+
+        await InitializeAsync();
+        await AppHost.LoginAsync("alice");
+
+        // This forces a refresh (token lifetime is 10s, within RefreshBeforeExpiration window)
+        var response = await AppHost.BrowserClient.GetAsync(AppHost.Url("/user_token"), _ct);
+        var token = await response.Content.ReadFromJsonAsync<UserTokenModel>(_ct);
+        token.ShouldNotBeNull();
+        token.AccessTokenType.ShouldBe("DPoP");
+
+        // Verify refresh token requests used client assertions
+        var refreshRequests = IdentityServerHost.CapturedTokenRequests
+            .Where(r => r.TryGetValue("grant_type", out var gt) && gt == "refresh_token")
+            .ToList();
+        refreshRequests.ShouldNotBeEmpty();
+        foreach (var req in refreshRequests)
+        {
+            req.ShouldContainKeyAndValue(OidcConstants.TokenRequest.ClientAssertionType,
+                OidcConstants.ClientAssertionTypes.JwtBearer);
+            req.ShouldContainKey(OidcConstants.TokenRequest.ClientAssertion);
+        }
+
+        // Nonce retry must have occurred
+        refreshRequests.Count.ShouldBe(2, "Expected exactly 2 refresh requests (initial + DPoP nonce retry)");
+
+        var assertions = refreshRequests
+            .Select(r => r[OidcConstants.TokenRequest.ClientAssertion])
+            .ToList();
+        assertions.Distinct().Count().ShouldBe(assertions.Count,
+            "Client assertions must be unique across DPoP nonce retries during refresh");
+    }
+
+    private const string DPoPPrivateJwk =
+        """
+        {
+            "kty":"RSA",
+            "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
+            "e":"AQAB",
+            "d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q",
+            "p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs",
+            "q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk",
+            "dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0",
+            "dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk",
+            "qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU",
+            "alg":"RS256",
+            "kid":"2011-04-29"
+        }
+        """;
+}