New factory to create client assertions on demand

This allows for DPoP retries to obtain a fresh client assertion, which
is required when the AS uses nonces and rejects reused assertions.

Author: josephdecock

fix.md

@@ -0,0 +1,109 @@
+## Summary
+
+When a token endpoint returns a DPoP nonce (401 with `DPoP-Nonce` header), `ProofTokenMessageHandler` retries the request using the **same request object**, which carries the **same `ClientAssertion`** (same `jti`, `iat`, etc.). Servers that enforce client assertion uniqueness (e.g. HelseID) reject the retry as a replay.
+
+Reported in: https://github.com/DuendeSoftware/foss/issues/323
+
+## Root Cause
+
+The retry path in `ProofTokenMessageHandler.SendAsync()` reuses the original `HttpRequestMessage`. The `ClientAssertion` is set once at request creation time (e.g. in `ResponseProcessor.RedeemCodeAsync()`) and never regenerated for the retry.
+
+Additionally, `ProtocolRequest.Clone<T>()` copies `ClientAssertion` **by reference** (shallow copy), so even cloned requests share the same assertion object — though the real issue is the JWT string itself being identical.
+
+### Call chain
+
+```
+ResponseProcessor.RedeemCodeAsync()
+  → AuthorizationCodeTokenRequest created with ClientAssertion (fetched once)
+    → HttpClientTokenRequestExtensions clones via ProtocolRequest.Clone<T>()
+      → Clone() shallow-copies ClientAssertion
+        → ProofTokenMessageHandler.SendAsync() retries on DPoP nonce
+          → Same ClientAssertion reused on retry ← BUG
+```
+
+## Affected Code
+
+| File | Package | Role |
+|------|---------|------|
+| `ProofTokenMessageHandler.cs` (L42-44) | oidc-client-extensions | Retries request with same object on DPoP nonce |
+| `ProtocolRequest.cs` (L103) | identity-model | `Clone()` shallow-copies `ClientAssertion` |
+| `ResponseProcessor.cs` (L184) | oidc-client | Sets client assertion once at request creation |
+| `HttpClientTokenRequestExtensions.cs` | identity-model | Calls `Clone()` + `Prepare()` on all token requests |
+| `AuthorizationServerDPoPHandler.cs` | access-token-management | Same retry pattern, same bug |
+
+## Scope
+
+Affects **all token request types** using client assertions + DPoP:
+- Authorization code exchange
+- Refresh token requests
+- Client credentials requests
+- PAR requests
+- Device authorization
+
+## Expected Behavior
+
+Each token request attempt (including DPoP nonce retries) should use a **unique client assertion** with a fresh `jti` and `iat`, per RFC 7521 §4.2.
+
+---
+
+## Proposed Fix: Factory on `HttpRequestMessage.Options` (Strategy C)
+
+### Approach
+
+Add a `ClientAssertionFactory` (`Func<Task<ClientAssertion>>?`) property to `ProtocolRequest` that flows through `Clone()` → `Prepare()` → `HttpRequestMessage.Options` → handler chain. On DPoP nonce retry, `ProofTokenMessageHandler` checks for the factory, calls it to get a fresh assertion, and rebuilds the form body.
+
+### Why this strategy
+
+- **Backward compatible** — additive only, defaults to null, no behavioral change when unset
+- **Minimal coupling** — the handler only needs to know about `client_assertion` / `client_assertion_type` form fields
+- **Uses standard .NET patterns** — `HttpRequestMessage.Options` is the idiomatic way to pass data through handler chains
+- **Works at the right level** — the factory is set by callers who have access to key material, and consumed by the handler that performs the retry
+
+### Alternatives considered and rejected
+
+| Strategy | Why rejected |
+|----------|-------------|
+| A: Pass factory directly to handler constructor | Handler is a `DelegatingHandler` — can't easily access per-request assertion factories |
+| B: Call `Prepare()` again on retry | `Prepare()` is not idempotent (double-adds parameters) and is synchronous |
+| D: Move retry to callers | Major architectural change, duplicates retry logic across all callers |
+
+### Implementation tasks
+
+#### identity-model
+
+- [ ] Add `Func<Task<ClientAssertion>>? ClientAssertionFactory` property to `ProtocolRequest`
+- [ ] Copy `ClientAssertionFactory` in `Clone<T>()`
+- [ ] Define a public `HttpRequestOptionsKey` for the factory (e.g. `ProtocolRequestOptions.ClientAssertionFactory`)
+- [ ] Store the factory on `HttpRequestMessage.Options` in `RequestTokenAsync()` after `Prepare()`
+- [ ] Also store in `PushAuthorizationAsync()` for PAR flow
+- [ ] Update public API verification snapshot
+
+#### identity-model-oidc-client
+
+- [ ] Update `ProofTokenMessageHandler.SendAsync()` retry path to:
+  1. Check for factory in `request.Options`
+  2. Call factory to get fresh `ClientAssertion`
+  3. Parse existing form body as `IEnumerable<KeyValuePair<string, string>>` (preserving duplicate keys)
+  4. Replace `client_assertion` and `client_assertion_type` values
+  5. Rebuild `FormUrlEncodedContent`
+- [ ] Wire `ClientAssertionFactory` in `ResponseProcessor.RedeemCodeAsync()`
+- [ ] Wire `ClientAssertionFactory` in `OidcClient.RefreshTokenAsync()`
+- [ ] Wire `ClientAssertionFactory` in `AuthorizeClient.PushAuthorizationRequestAsync()`
+
+#### access-token-management
+
+- [ ] Fix `AuthorizationServerDPoPHandler` retry path (same pattern as `ProofTokenMessageHandler`)
+- [ ] Evaluate `ClientCredentialsTokenClient` and `OpenIdConnectUserTokenEndpoint` retry paths — they reuse the same `request.ClientAssertion` value across retries
+
+#### Tests
+
+- [ ] Unit test: `ProofTokenMessageHandler` uses fresh assertion on DPoP nonce retry
+- [ ] Unit test: `Clone<T>()` preserves `ClientAssertionFactory`
+- [ ] Unit test: backward compatibility — no factory set, behavior unchanged
+- [ ] Integration test: end-to-end DPoP + client assertion with nonce enforcement
+
+### Implementation notes
+
+- Form body parsing on retry **must** use `IEnumerable<KeyValuePair<string, string>>`, not a dictionary — dictionaries collapse duplicate keys like `resource` (identified during security review)
+- Both `client_assertion` and `client_assertion_type` should be replaced from the factory result to guard against type mismatches
+- `FormUrlEncodedContent` buffers internally, so `ReadAsStringAsync()` works after the first send

foss.slnx

@@ -50,6 +50,7 @@
     <File Path="identity-model/README.md" />
   </Folder>
   <Folder Name="/identity-model/samples/">
+    <Project Path="identity-model/samples/ClientAssertions/ClientAssertions.csproj" />
     <Project Path="identity-model/samples/HttpClientFactory/HttpClientFactory.csproj" />
   </Folder>
   <Folder Name="/identity-model/src/">

identity-model-oidc-client/clients/ConsoleClientWithBrowser/Program.cs

@@ -12,7 +12,7 @@
 using Serilog;
 using Serilog.Sinks.SystemConsole.Themes;
 
-namespace ConsoleClientWithBrowser;
+namespace NetCoreConsoleClient;
 
 public class Program
 {

identity-model-oidc-client/clients/ConsoleClientWithBrowser/SystemBrowser.cs

@@ -10,7 +10,7 @@
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
 
-namespace ConsoleClientWithBrowser;
+namespace NetCoreConsoleClient;
 
 public class SystemBrowser : IBrowser
 {

identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/ClientAssertionService.cs

@@ -0,0 +1,65 @@
+// Copyright (c) Duende Software. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using NetCoreConsoleClient;
+using Duende.IdentityModel;
+using Duende.IdentityModel.Client;
+using Microsoft.IdentityModel.JsonWebTokens;
+using Microsoft.IdentityModel.Tokens;
+
+public class ClientAssertionService
+{
+    private static string RsaKey =
+        """
+        {
+            "d":"GmiaucNIzdvsEzGjZjd43SDToy1pz-Ph-shsOUXXh-dsYNGftITGerp8bO1iryXh_zUEo8oDK3r1y4klTonQ6bLsWw4ogjLPmL3yiqsoSjJa1G2Ymh_RY_sFZLLXAcrmpbzdWIAkgkHSZTaliL6g57vA7gxvd8L4s82wgGer_JmURI0ECbaCg98JVS0Srtf9GeTRHoX4foLWKc1Vq6NHthzqRMLZe-aRBNU9IMvXNd7kCcIbHCM3GTD_8cFj135nBPP2HOgC_ZXI1txsEf-djqJj8W5vaM7ViKU28IDv1gZGH3CatoysYx6jv1XJVvb2PH8RbFKbJmeyUm3Wvo-rgQ",
+            "dp":"YNjVBTCIwZD65WCht5ve06vnBLP_Po1NtL_4lkholmPzJ5jbLYBU8f5foNp8DVJBdFQW7wcLmx85-NC5Pl1ZeyA-Ecbw4fDraa5Z4wUKlF0LT6VV79rfOF19y8kwf6MigyrDqMLcH_CRnRGg5NfDsijlZXffINGuxg6wWzhiqqE",
+            "dq":"LfMDQbvTFNngkZjKkN2CBh5_MBG6Yrmfy4kWA8IC2HQqID5FtreiY2MTAwoDcoINfh3S5CItpuq94tlB2t-VUv8wunhbngHiB5xUprwGAAnwJ3DL39D2m43i_3YP-UO1TgZQUAOh7Jrd4foatpatTvBtY3F1DrCrUKE5Kkn770M",
+            "e":"AQAB",
+            "kid":"ZzAjSnraU3bkWGnnAqLapYGpTyNfLbjbzgAPbbW2GEA",
+            "kty":"RSA",
+            "n":"wWwQFtSzeRjjerpEM5Rmqz_DsNaZ9S1Bw6UbZkDLowuuTCjBWUax0vBMMxdy6XjEEK4Oq9lKMvx9JzjmeJf1knoqSNrox3Ka0rnxXpNAz6sATvme8p9mTXyp0cX4lF4U2J54xa2_S9NF5QWvpXvBeC4GAJx7QaSw4zrUkrc6XyaAiFnLhQEwKJCwUw4NOqIuYvYp_IXhw-5Ti_icDlZS-282PcccnBeOcX7vc21pozibIdmZJKqXNsL1Ibx5Nkx1F1jLnekJAmdaACDjYRLL_6n3W4wUp19UvzB1lGtXcJKLLkqB6YDiZNu16OSiSprfmrRXvYmvD8m6Fnl5aetgKw",
+            "p":"7enorp9Pm9XSHaCvQyENcvdU99WCPbnp8vc0KnY_0g9UdX4ZDH07JwKu6DQEwfmUA1qspC-e_KFWTl3x0-I2eJRnHjLOoLrTjrVSBRhBMGEH5PvtZTTThnIY2LReH-6EhceGvcsJ_MhNDUEZLykiH1OnKhmRuvSdhi8oiETqtPE",
+            "q":"0CBLGi_kRPLqI8yfVkpBbA9zkCAshgrWWn9hsq6a7Zl2LcLaLBRUxH0q1jWnXgeJh9o5v8sYGXwhbrmuypw7kJ0uA3OgEzSsNvX5Ay3R9sNel-3Mqm8Me5OfWWvmTEBOci8RwHstdR-7b9ZT13jk-dsZI7OlV_uBja1ny9Nz9ts",
+            "qi":"pG6J4dcUDrDndMxa-ee1yG4KjZqqyCQcmPAfqklI2LmnpRIjcK78scclvpboI3JQyg6RCEKVMwAhVtQM6cBcIO3JrHgqeYDblp5wXHjto70HVW6Z8kBruNx1AH9E8LzNvSRL-JVTFzBkJuNgzKQfD0G77tQRgJ-Ri7qu3_9o1M4"
+        }
+        """;
+
+    private static SigningCredentials Credential = new(new JsonWebKey(RsaKey), "RS256");
+
+    public static Task<ClientAssertion> Create(CancellationToken ct = default)
+    {
+        var descriptor = new SecurityTokenDescriptor
+        {
+            Issuer = Configuration.ClientId,
+
+            // Don't use the TokenEndpoint here. Use the Authority as the audience.
+            // You may expose yourself to a vulnerability, as described in the document below:
+            // https://openid.net/wp-content/uploads/2025/01/OIDF-Responsible-Disclosure-Notice-on-Security-Vulnerability-for-private_key_jwt.pdf
+            Audience = Configuration.Authority,
+            Expires = DateTime.UtcNow.AddMinutes(1),
+            SigningCredentials = Credential,
+
+            Claims = new Dictionary<string, object>
+            {
+                { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
+                { JwtClaimTypes.Subject, Configuration.ClientId },
+                { JwtClaimTypes.IssuedAt, DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
+            },
+
+            AdditionalHeaderClaims = new Dictionary<string, object>
+            {
+                { JwtClaimTypes.TokenType, "client-authentication+jwt" }
+            }
+        };
+
+        var handler = new JsonWebTokenHandler();
+        var jwt = handler.CreateToken(descriptor);
+
+        return Task.FromResult(new ClientAssertion
+        {
+            Type = OidcConstants.ClientAssertionTypes.JwtBearer,
+            Value = jwt
+        });
+    }
+}

identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/NetCoreConsoleClient.csproj

@@ -11,7 +11,8 @@
 	  <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
     <PackageReference Include="Serilog.Extensions.Logging" Version="8.0.0" />
     <PackageReference Include="Serilog.Sinks.Console" Version="5.0.1" />
-    <PackageReference Include="Duende.IdentityModel.OidcClient" Version="6.0.0" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.16.0" />
+    <ProjectReference Include="../../../../src/IdentityModel.OidcClient.Extensions/IdentityModel.OidcClient.Extensions.csproj" />
   </ItemGroup>
 
 </Project>