400 Bad Request on `GroupsApi.ListGroupUsers`

[klightspeed]

Describe the bug?

In 9.2.2 and 10.0.1, calling GroupsApi.ListGroupUsers with a known existing group id when using private key authentication results in a empty (zero-length) 400 bad request response, resulting in:

Okta.Sdk.Client.ApiException: Error calling OktaPagedCollectionEnumerator:

What is expected to happen?

200 OK response with list of group members

What is the actual behavior?

400 bad request with empty body

Reproduction Steps?

A simple test repo is at https://github.com/klightspeed/OktaOAuthTest

Output:

$ dotnet run
Dotnet version: 10.0.1
Okta SDK Version: 10.0.1.0

Requesting first group
Sending GET https://«REDACTED».okta.com/api/v1/groups?limit=1
Authorization: DPoP
Authorization.Header: {
  "kid": "«REDACTED»",
  "typ": "application/okta-internal-at+jwt",
  "alg": "RS256"
}
Authorization.Payload: {
  "ver": 1,
  "jti": "«REDACTED»",
  "iss": "https://«REDACTED».okta.com",
  "aud": "https://«REDACTED».okta.com",
  "sub": "«REDACTED»",
  "iat": 1765443910,
  "exp": 1765447510,
  "cid": "«REDACTED»",
  "scp": [
    "okta.users.read",
    "okta.groups.read",
    "okta.apps.read",
    "okta.logs.read"
  ],
  "cnf": {
    "jkt": "«REDACTED»"
  }
}
DPoP.Header: {
  "alg": "RS256",
  "typ": "dpop+jwt",
  "jwk": {
    "kty": "RSA",
    "e": "AQAB",
    "n": "«REDACTED»"
  }
}
DPoP.Payload: {
  "htm": "GET",
  "htu": "https://«REDACTED».okta.com/api/v1/groups",
  "iat": 1765443910,
  "jti": "8d643b69-3da5-4adf-b80f-2fb536caf346",
  "ath": "«REDACTED»"
}
Got 200 OK with Content-Type: application/json and Content-Length:

Requesting members via client
Sending GET https://«REDACTED».okta.com/api/v1/groups/00gy1fl39hYNvpSJ9697/users
Authorization: DPoP
Authorization.Header: {
  "kid": "«REDACTED»",
  "typ": "application/okta-internal-at+jwt",
  "alg": "RS256"
}
Authorization.Payload: {
  "ver": 1,
  "jti": "«REDACTED»",
  "iss": "https://«REDACTED».okta.com",
  "aud": "https://«REDACTED».okta.com",
  "sub": "«REDACTED»",
  "iat": 1765443910,
  "exp": 1765447510,
  "cid": "«REDACTED»",
  "scp": [
    "okta.users.read",
    "okta.groups.read",
    "okta.apps.read",
    "okta.logs.read"
  ],
  "cnf": {
    "jkt": "«REDACTED»"
  }
}
DPoP.Header: {
  "alg": "RS256",
  "typ": "dpop+jwt",
  "jwk": {
    "kty": "RSA",
    "e": "AQAB",
    "n": "«REDACTED»"
  }
}
DPoP.Payload: {
  "htm": "GET",
  "htu": "https://«REDACTED».okta.com/api/v1/groups/00gy1fl39hYNvpSJ9697/users",
  "iat": 1765443911,
  "jti": "d5f50e5b-208b-464e-8c74-7e4f59813fa3",
  "ath": "«REDACTED»"
}
Got 200 OK with Content-Type: application/json and Content-Length:

Requesting membes via GroupApi
Sending GET https://«REDACTED».okta.com/api/v1/groups/00gy1fl39hYNvpSJ9697/users
Authorization: DPoP
Authorization.Header: {
  "kid": "«REDACTED»",
  "typ": "application/okta-internal-at+jwt",
  "alg": "RS256"
}
Authorization.Payload: {
  "ver": 1,
  "jti": "«REDACTED»",
  "iss": "https://«REDACTED».okta.com",
  "aud": "https://«REDACTED».okta.com",
  "sub": "«REDACTED»",
  "iat": 1765443910,
  "exp": 1765447510,
  "cid": "«REDACTED»",
  "scp": [
    "okta.users.read",
    "okta.groups.read",
    "okta.apps.read",
    "okta.logs.read"
  ],
  "cnf": {
    "jkt": "«REDACTED»"
  }
}
DPoP.Header: {
  "alg": "RS256",
  "typ": "dpop+jwt",
  "jwk": {
    "kty": "RSA",
    "e": "AQAB",
    "n": "«REDACTED»"
  }
}
DPoP.Payload: {
  "htm": "GET",
  "htu": "https://«REDACTED».okta.com/api/v1/groups/%7BgroupId%7D/users",
  "iat": 1765443912,
  "jti": "d39bc722-5434-4cf5-a050-ccc87c579bdd",
  "ath": "«REDACTED»"
}
Got 400 Bad Request with Content-Type:  and Content-Length: 0
Unhandled exception. Okta.Sdk.Client.ApiException: Error calling OktaPagedCollectionEnumerator:
   at Okta.Sdk.Client.OktaPagedCollectionEnumerator`1.MoveNextAsync()
   at Okta.Sdk.Client.OktaCollectionAsyncEnumerator`1.MoveNextAsync()
   at System.Linq.AsyncEnumerable.<ToListAsync>g__Impl|188_0[TSource](ConfiguredCancelableAsyncEnumerable`1 source)
   at System.Linq.AsyncEnumerable.<ToListAsync>g__Impl|188_0[TSource](ConfiguredCancelableAsyncEnumerable`1 source)
   at Program.<Main>$(String[] args) in C:\Users\bpeddell\source\repos\TestOkta\TestOkta\Program.cs:line 52
   at Program.<Main>(String[] args)

Additional Information?

As shown in the repro above, it appears that, at least for this method, the URL template before path parameters are replaced is being used as the htu attribute in the DPoP JWT payload.

.NET Version

$ dotnet --version
10.0.101

SDK Version

Okta SDK Version: 10.0.1.0

OS version

$ wmic os get Caption, Version, BuildNumber, OSArchitecture
BuildNumber  Caption                         OSArchitecture  Version
26200        Microsoft Windows 11 Education  64-bit          10.0.26200

[klightspeed]

okta-sdk-dotnet/src/Okta.Sdk/Client/OktaPagedCollectionEnumerator.cs

Line 120 in 0f6cc3b

await _oAuthTokenProvider.AddOrUpdateAuthorizationHeader(_nextRequest, _nextPath, "GET", _cancellationToken);

At this point, _nextPath is still the templated path

okta-sdk-dotnet/src/Okta.Sdk/Client/DefaultOAuthTokenProvider.cs

Lines 216 to 224 in 0f6cc3b

	if (tokenResponse.IsDpopBound)
	{
	foreach (var oldDpopHeader in requestOptions.HeaderParameters.Where(p => p.Key.Equals("DPoP", StringComparison.OrdinalIgnoreCase)).ToArray())
	{
	requestOptions.HeaderParameters.Remove(oldDpopHeader.Key);
	}
	var uri = new Uri(new Uri(this.Configuration.OktaDomain, UriKind.Absolute), new Uri(requestUri, UriKind.RelativeOrAbsolute));
	var dPopProofJwt = this.GetDpopProofJwt(accessToken: tokenResponse.AccessToken, requestUri: uri.AbsoluteUri, httpMethod: httpMethod);

As a result, as DefaultOAuthTokenProvider.AddOrUpdateAuthorizationHeader(RequestOptions, string, string, CancellationToken) does not process requestOptions.PathParameters, the DPoP token is generated using the template path.

All of the other places where DefaultOAuthTokenProvider.AddOrUpdateAuthorizationHeader(RequestOptions, string, string, CancellationToken) is called perform string interpolation to get the URL to include in the DPoP token.

As a simple fix, https://github.com/klightspeed/okta-sdk-dotnet/tree/fix-dpop-htu-825 adapts the following code to expand the request URI:

okta-sdk-dotnet/src/Okta.Sdk/Client/DefaultOAuthTokenProvider.cs

Line 255 in 0f6cc3b

string requestUri = response.Result.Request.Parameters.Aggregate(response.Result.Request.Resource, (current, parameter) => current.Replace("{" + parameter.Name + "}", parameter.Value.ToString()));

Additionally, while checking the other places where the DPoP header is set:

okta-sdk-dotnet/src/Okta.Sdk/Client/DefaultOAuthTokenProvider.cs

Lines 255 to 256 in 0f6cc3b

	string requestUri = response.Result.Request.Parameters.Aggregate(response.Result.Request.Resource, (current, parameter) => current.Replace("{" + parameter.Name + "}", parameter.Value.ToString()));
	var uri = new Uri(requestUri, UriKind.RelativeOrAbsolute);

According to the documentation, response.Result.Request.Resource will be the path relative to client.BaseUrl.
The branch above copies the absolute uri resolution from line 223.

okta-sdk-dotnet/src/Okta.Sdk/Client/ApiClient.cs

Line 647 in 0f6cc3b

dpopJwt = _authTokenProvider.GetDpopProofJwt(httpMethod: request.Method.ToString(), uri: request.Resource, accessToken: token.AccessToken);

Again, request.Resource will be the unexpanded path relative to client.BaseUrl
The branch above adapts the same fix to expand the path passed to GetDpopProofJwt.