changes made together with Joe

implemented some convention tests

Author: Erwinvandervalk

access-token-management/perf/Perf.TokenEndpoint/Program.cs

@@ -89,7 +89,7 @@
 
 app.MapGet("/ok", () => "ok");
 
-app.MapGet("/token", async (IClientCredentialsTokenManagementService svc, CancellationToken ct) =>
+app.MapGet("/token", async (IClientCredentialsTokenManager svc, CancellationToken ct) =>
 {
     return await svc.GetAccessTokenAsync("c1");
 });

access-token-management/samples/Web/Controllers/HomeController.cs

@@ -15,13 +15,13 @@ namespace Web.Controllers;
 public class HomeController : Controller
 {
     private readonly IHttpClientFactory _httpClientFactory;
-    private readonly IUserTokenManagementService _tokenManagementService;
+    private readonly IUserTokenManager _tokenManager;
     private readonly SampleConfiguration _configuration;
 
-    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagementService tokenManagementService, IOptions<SampleConfiguration> options)
+    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManager tokenManager, IOptions<SampleConfiguration> options)
     {
         _httpClientFactory = httpClientFactory;
-        _tokenManagementService = tokenManagementService;
+        _tokenManager = tokenManager;
         _configuration = options.Value;
     }
 
@@ -34,7 +34,7 @@ public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagement
 
     public async Task<IActionResult> CallApiAsUserManual()
     {
-        UserToken token = await _tokenManagementService.GetAccessTokenAsync(User);
+        UserToken token = await _tokenManager.GetAccessTokenAsync(User);
         var client = _httpClientFactory.CreateClient();
         client.SetToken(token.AccessTokenType?.ToScheme().ToString()!, token.AccessToken.ToString());
 

access-token-management/samples/Web/Startup.cs

@@ -3,7 +3,7 @@
 
 using System.Security.Cryptography;
 using System.Text.Json;
-using Duende.AccessTokenManagement;
+using Duende.AccessTokenManagement.DPoP;
 using Duende.AccessTokenManagement.OpenIdConnect;
 
 using Microsoft.IdentityModel.Tokens;
@@ -79,7 +79,7 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
         builder.Services.AddOpenIdConnectAccessTokenManagement(options =>
         {
             var useDPoP = builder.Configuration.GetValue<bool>("UseDPoP");
-            options.DPoPJsonWebKey = useDPoP ? DPoPJsonWebKey.Parse(jwk) : null;
+            options.DPoPJsonWebKey = useDPoP ? DPoPJsonWebKey.ParseOrDefault(jwk) : null;
         });
 
         // registers HTTP client that uses the managed user access token

access-token-management/samples/WebJarJwt/Controllers/HomeController.cs

@@ -14,12 +14,12 @@ namespace WebJarJwt.Controllers;
 public class HomeController : Controller
 {
     private readonly IHttpClientFactory _httpClientFactory;
-    private readonly IUserTokenManagementService _tokenManagementService;
+    private readonly IUserTokenManager _tokenManager;
 
-    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagementService tokenManagementService)
+    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManager tokenManager)
     {
         _httpClientFactory = httpClientFactory;
-        _tokenManagementService = tokenManagementService;
+        _tokenManager = tokenManager;
     }
 
     [AllowAnonymous]
@@ -31,7 +31,7 @@ public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagement
 
     public async Task<IActionResult> CallApiAsUserManual()
     {
-        UserToken token = await _tokenManagementService.GetAccessTokenAsync(User);
+        UserToken token = await _tokenManager.GetAccessTokenAsync(User);
         var client = _httpClientFactory.CreateClient();
         client.SetBearerToken(token.AccessToken.ToString()!);
 

access-token-management/samples/Worker/WorkerManual.cs

@@ -11,9 +11,9 @@ public class WorkerManual : BackgroundService
 {
     private readonly ILogger<WorkerManual> _logger;
     private readonly IHttpClientFactory _clientFactory;
-    private readonly IClientCredentialsTokenManagementService _tokenManagementService;
+    private readonly IClientCredentialsTokenManager _tokenManagementService;
 
-    public WorkerManual(ILogger<WorkerManual> logger, IHttpClientFactory factory, IClientCredentialsTokenManagementService tokenManagementService)
+    public WorkerManual(ILogger<WorkerManual> logger, IHttpClientFactory factory, IClientCredentialsTokenManager tokenManagementService)
     {
         _logger = logger;
         _clientFactory = factory;

access-token-management/samples/Worker/WorkerManualJwt.cs

@@ -11,9 +11,9 @@ public class WorkerManualJwt : BackgroundService
 {
     private readonly ILogger<WorkerManualJwt> _logger;
     private readonly IHttpClientFactory _clientFactory;
-    private readonly IClientCredentialsTokenManagementService _tokenManagementService;
+    private readonly IClientCredentialsTokenManager _tokenManagementService;
 
-    public WorkerManualJwt(ILogger<WorkerManualJwt> logger, IHttpClientFactory factory, IClientCredentialsTokenManagementService tokenManagementService)
+    public WorkerManualJwt(ILogger<WorkerManualJwt> logger, IHttpClientFactory factory, IClientCredentialsTokenManager tokenManagementService)
     {
         _logger = logger;
         _clientFactory = factory;

access-token-management/samples/WorkerDI/WorkerManual.cs

@@ -11,9 +11,9 @@ public class WorkerManual : BackgroundService
 {
     private readonly ILogger<WorkerManual> _logger;
     private readonly IHttpClientFactory _clientFactory;
-    private readonly IClientCredentialsTokenManagementService _tokenManagementService;
+    private readonly IClientCredentialsTokenManager _tokenManagementService;
 
-    public WorkerManual(ILogger<WorkerManual> logger, IHttpClientFactory factory, IClientCredentialsTokenManagementService tokenManagementService)
+    public WorkerManual(ILogger<WorkerManual> logger, IHttpClientFactory factory, IClientCredentialsTokenManager tokenManagementService)
     {
         _logger = logger;
         _clientFactory = factory;

access-token-management/samples/WorkerDI/WorkerManualJwt.cs

@@ -11,9 +11,9 @@ public class WorkerManualJwt : BackgroundService
 {
     private readonly ILogger<WorkerManualJwt> _logger;
     private readonly IHttpClientFactory _clientFactory;
-    private readonly IClientCredentialsTokenManagementService _tokenManagementService;
+    private readonly IClientCredentialsTokenManager _tokenManagementService;
 
-    public WorkerManualJwt(ILogger<WorkerManualJwt> logger, IHttpClientFactory factory, IClientCredentialsTokenManagementService tokenManagementService)
+    public WorkerManualJwt(ILogger<WorkerManualJwt> logger, IHttpClientFactory factory, IClientCredentialsTokenManager tokenManagementService)
     {
         _logger = logger;
         _clientFactory = factory;

access-token-management/src/AccessTokenManagement.OpenIdConnect/HttpContextExtensions.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using Duende.AccessTokenManagement.DPoP;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
@@ -26,7 +27,7 @@ public static async Task<TokenResult<UserToken>> GetUserAccessTokenAsync(
         UserTokenRequestParameters? parameters = null,
         CancellationToken cancellationToken = default)
     {
-        var service = httpContext.RequestServices.GetRequiredService<IUserTokenManagementService>();
+        var service = httpContext.RequestServices.GetRequiredService<IUserTokenManager>();
 
         return await service.GetAccessTokenAsync(httpContext.User, parameters, cancellationToken).ConfigureAwait(false);
     }
@@ -43,7 +44,7 @@ public static async Task RevokeRefreshTokenAsync(
         UserTokenRequestParameters? parameters = null,
         CancellationToken cancellationToken = default)
     {
-        var service = httpContext.RequestServices.GetRequiredService<IUserTokenManagementService>();
+        var service = httpContext.RequestServices.GetRequiredService<IUserTokenManager>();
 
         await service.RevokeRefreshTokenAsync(httpContext.User, parameters, cancellationToken).ConfigureAwait(false);
     }
@@ -60,7 +61,7 @@ public static async Task<TokenResult<ClientCredentialsToken>> GetClientAccessTok
         UserTokenRequestParameters? parameters = null,
         CancellationToken cancellationToken = default)
     {
-        var service = httpContext.RequestServices.GetRequiredService<IClientCredentialsTokenManagementService>();
+        var service = httpContext.RequestServices.GetRequiredService<IClientCredentialsTokenManager>();
         var options = httpContext.RequestServices.GetRequiredService<IOptions<UserTokenManagementOptions>>();
         var schemes = httpContext.RequestServices.GetRequiredService<IAuthenticationSchemeProvider>();
 

access-token-management/src/AccessTokenManagement.OpenIdConnect/IUserTokenEndpointService.cs renamed to access-token-management/src/AccessTokenManagement.OpenIdConnect/IOpenIdConnectUserTokenClient.cs

@@ -8,7 +8,7 @@ namespace Duende.AccessTokenManagement.OpenIdConnect;
 /// <summary>
 /// Abstraction for token endpoint operations
 /// </summary>
-public interface IUserTokenEndpointService
+public interface IOpenIdConnectUserTokenClient
 {
     /// <summary>
     /// Refreshes a user access token.

access-token-management/src/AccessTokenManagement.OpenIdConnect/IUserTokenManagementService.cs renamed to access-token-management/src/AccessTokenManagement.OpenIdConnect/IUserTokenManager.cs

@@ -9,7 +9,7 @@ namespace Duende.AccessTokenManagement.OpenIdConnect;
 /// <summary>
 /// Abstraction for managing user access tokens
 /// </summary>
-public interface IUserTokenManagementService
+public interface IUserTokenManager
 {
     /// <summary>
     /// Returns the user access token. If the current token is expired, it will try to refresh it.

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectClientAccessTokenRetriever.cs

@@ -2,13 +2,18 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using Duende.AccessTokenManagement.DPoP;
-
-using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Options;
 
 namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
 
+/// <summary>
+/// A token retriever that uses the configuration in openid connect to retrieve client credential access tokens
+/// </summary>
 internal class OpenIdConnectClientAccessTokenRetriever(
-    IHttpContextAccessor httpContextAccessor,
+    IClientCredentialsTokenManager tokenManager,
+    IOptions<UserTokenManagementOptions> options,
+    IAuthenticationSchemeProvider schemeProvider,
     UserTokenRequestParameters? parameters = null)
     : AccessTokenRequestHandler.ITokenRetriever
 {
@@ -27,15 +32,23 @@ internal class OpenIdConnectClientAccessTokenRetriever(
             ForceTokenRenewal = request.GetForceRenewal()
         };
 
-        if (httpContextAccessor.HttpContext == null)
+        var schemeName = userTokenRequestParameters?.ChallengeScheme ?? options.Value.ChallengeScheme;
+
+        if (schemeName == null)
         {
-            throw new InvalidOperationException("HttpContext is null");
+            var defaultScheme = await schemeProvider.GetDefaultChallengeSchemeAsync().ConfigureAwait(false);
+            if (defaultScheme == null)
+            {
+                throw new InvalidOperationException("Cannot retrieve client access token. No scheme was provided and default challenge scheme was not set.");
+            }
+
+            schemeName = defaultScheme.Name;
         }
 
-        var getTokenResult = await httpContextAccessor.HttpContext.GetClientAccessTokenAsync(
-                userTokenRequestParameters,
-                cancellationToken)
-            .ConfigureAwait(false);
+        var getTokenResult = await tokenManager.GetAccessTokenAsync(
+            OpenIdConnectTokenManagementDefaults.ClientCredentialsClientNamePrefix + schemeName,
+            userTokenRequestParameters,
+            cancellationToken).ConfigureAwait(false);
 
         if (getTokenResult.WasSuccessful(out var token, out var error))
         {

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectUserAccessTokenRetriever.cs

@@ -7,7 +7,7 @@ namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
 
 internal class OpenIdConnectUserAccessTokenRetriever(
     IUserAccessor userAccessor,
-    IUserTokenManagementService userTokenManagement,
+    IUserTokenManager userTokenManagement,
     UserTokenRequestParameters? parameters = null
 ) : AccessTokenRequestHandler.ITokenRetriever
 {

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/UserTokenEndpointService.cs renamed to access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectUserTokenClient.cs

@@ -15,13 +15,13 @@ namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
 /// <summary>
 /// Implements token endpoint operations using IdentityModel
 /// </summary>
-internal class UserTokenEndpointService(
+internal class OpenIdConnectUserTokenClient(
     AccessTokenManagementMetrics metrics,
     IOpenIdConnectConfigurationService configurationService,
     IOptions<UserTokenManagementOptions> options,
     IClientAssertionService clientAssertionService,
     IDPoPProofService dPoPProofService,
-    ILogger<UserTokenEndpointService> logger) : IUserTokenEndpointService
+    ILogger<OpenIdConnectUserTokenClient> logger) : IOpenIdConnectUserTokenClient
 {
     /// <inheritdoc/>
     public async Task<TokenResult<UserToken>> RefreshAccessTokenAsync(

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/StoreTokensInAuthenticationProperties.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System.Globalization;
+using Duende.AccessTokenManagement.DPoP;
 using Duende.AccessTokenManagement.Internal;
 
 using Microsoft.AspNetCore.Authentication;

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/UserAccessTokenManagementService.cs

@@ -14,14 +14,14 @@ namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
 /// <summary>
 /// Implements basic token management logic
 /// </summary>
-internal class UserAccessAccessTokenManagementService(
+internal class UserAccessAccessTokenManager(
     AccessTokenManagementMetrics metrics,
     IUserTokenRequestConcurrencyControl sync,
     IUserTokenStore userAccessTokenStore,
     TimeProvider clock,
     IOptions<UserTokenManagementOptions> options,
-    IUserTokenEndpointService tokenEndpointService,
-    ILogger<UserAccessAccessTokenManagementService> logger) : IUserTokenManagementService
+    IOpenIdConnectUserTokenClient tokenClient,
+    ILogger<UserAccessAccessTokenManager> logger) : IUserTokenManager
 {
 
     /// <inheritdoc/>
@@ -73,7 +73,7 @@ public async Task<TokenResult<UserToken>> GetAccessTokenAsync(
                 key: requestedToken.RefreshToken,
                 tokenRetriever: async () =>
                 {
-                    var getRefreshedToken = await tokenEndpointService.RefreshAccessTokenAsync(
+                    var getRefreshedToken = await tokenClient.RefreshAccessTokenAsync(
                                 requestedToken.RefreshToken,
                                 parameters,
                                 cancellationToken).ConfigureAwait(false);
@@ -122,7 +122,7 @@ public async Task RevokeRefreshTokenAsync(
 
         if (getToken.WasSuccessful(out var userToken) && userToken.RefreshToken != null)
         {
-            await tokenEndpointService.RevokeRefreshTokenAsync(userToken.RefreshToken, parameters, cancellationToken).ConfigureAwait(false);
+            await tokenClient.RevokeRefreshTokenAsync(userToken.RefreshToken, parameters, cancellationToken).ConfigureAwait(false);
             await userAccessTokenStore.ClearTokenAsync(user, parameters, cancellationToken).ConfigureAwait(false);
         }
     }

access-token-management/src/AccessTokenManagement.OpenIdConnect/OpenIdConnectClientConfiguration.cs

@@ -8,7 +8,7 @@ namespace Duende.AccessTokenManagement.OpenIdConnect;
 /// <summary>
 /// Configuration setting sourced from the OpenID Connect handler
 /// </summary>
-public class OpenIdConnectClientConfiguration
+public sealed class OpenIdConnectClientConfiguration
 {
     ///// <summary>
     ///// The authority

access-token-management/src/AccessTokenManagement.OpenIdConnect/ServiceCollectionExtensions.cs

@@ -2,7 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using Duende.AccessTokenManagement.OpenIdConnect.Internal;
-using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
@@ -28,10 +28,10 @@ public static IServiceCollection AddOpenIdConnectAccessTokenManagement(this ISer
 
         // TODO: maybe return a builder with a ConfigureScheme that adds IConfigureNamedOptions/IPostConfigureNamedOptions with the naming convention?
         // for example, per-scheme client credentials style, scope, etc settings
-        services.TryAddTransient<IUserTokenManagementService, UserAccessAccessTokenManagementService>();
+        services.TryAddTransient<IUserTokenManager, UserAccessAccessTokenManager>();
         services.TryAddTransient<IOpenIdConnectConfigurationService, OpenIdConnectConfigurationService>();
         services.TryAddSingleton<IUserTokenRequestConcurrencyControl, UserTokenRequestConcurrencyControl>();
-        services.TryAddTransient<IUserTokenEndpointService, UserTokenEndpointService>();
+        services.TryAddTransient<IOpenIdConnectUserTokenClient, OpenIdConnectUserTokenClient>();
         services.TryAddSingleton<IStoreTokensInAuthenticationProperties, StoreTokensInAuthenticationProperties>();
         services.ConfigureOptions<ConfigureOpenIdConnectOptions>();
 
@@ -218,7 +218,7 @@ public static IHttpClientBuilder AddUserAccessTokenHandler(
         httpClientBuilder.AddHttpMessageHandler(provider =>
         {
             var httpContextAccessor = provider.GetRequiredService<IUserAccessor>();
-            var userTokenManagementService = provider.GetRequiredService<IUserTokenManagementService>();
+            var userTokenManagementService = provider.GetRequiredService<IUserTokenManager>();
 
             var tokenRetriever = new OpenIdConnectUserAccessTokenRetriever(
                 httpContextAccessor,
@@ -242,9 +242,13 @@ public static IHttpClientBuilder AddClientAccessTokenHandler(
         UserTokenRequestParameters? parameters = null) =>
         httpClientBuilder.AddHttpMessageHandler(provider =>
         {
-            var httpContextAccessor = provider.GetRequiredService<IHttpContextAccessor>();
+            var tokenManager = provider.GetRequiredService<IClientCredentialsTokenManager>();
+            var schemeProvider = provider.GetRequiredService<IAuthenticationSchemeProvider>();
+            var options = provider.GetRequiredService<IOptions<UserTokenManagementOptions>>();
 
-            var tokenRetriever = new OpenIdConnectClientAccessTokenRetriever(httpContextAccessor,
+            var tokenRetriever = new OpenIdConnectClientAccessTokenRetriever(tokenManager,
+                options,
+                schemeProvider,
                 parameters);
 
             return provider.BuildAccessTokenRequestHandler(tokenRetriever);

access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/TransformPrincipalAfterRefreshAsync.cs renamed to access-token-management/src/AccessTokenManagement.OpenIdConnect/TransformPrincipalAfterRefreshAsync.cs

@@ -3,7 +3,7 @@
 
 using System.Security.Claims;
 
-namespace Duende.AccessTokenManagement.OpenIdConnect.Internal;
+namespace Duende.AccessTokenManagement.OpenIdConnect;
 
 /// <summary>
 /// Allows transforming the principal before re-issuing the authentication session

access-token-management/src/AccessTokenManagement.OpenIdConnect/UserRefreshToken.cs

@@ -2,7 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using Duende.AccessTokenManagement.DPoP;
 
 namespace Duende.AccessTokenManagement.OpenIdConnect;
 
-public record UserRefreshToken(RefreshTokenString RefreshToken, DPoPJsonWebKey? DPoPJsonWebKey);
+public sealed record UserRefreshToken(RefreshTokenString RefreshToken, DPoPJsonWebKey? DPoPJsonWebKey);

access-token-management/src/AccessTokenManagement.OpenIdConnect/UserToken.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using Duende.AccessTokenManagement.DPoP;
 
 namespace Duende.AccessTokenManagement.OpenIdConnect;
 

access-token-management/src/AccessTokenManagement.OpenIdConnect/UserTokenManagementOptions.cs

@@ -2,14 +2,15 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using Duende.AccessTokenManagement.DPoP;
 using Duende.IdentityModel.Client;
 
 namespace Duende.AccessTokenManagement.OpenIdConnect;
 
 /// <summary>
 /// Options for user access token management
 /// </summary>
-public class UserTokenManagementOptions
+public sealed class UserTokenManagementOptions
 {
     /// <summary>
     /// Name of the authentication scheme to use for deriving token service configuration