Merge pull request #199 from DuendeSoftware/ev/atm/v4

A different take on ATM V4

Author: Erwinvandervalk

Directory.Packages.props

@@ -2,26 +2,22 @@
   <PropertyGroup>
     <WilsonVersion>7.1.2</WilsonVersion>
   </PropertyGroup>
-
   <PropertyGroup Condition=" '$(TargetFramework)' == 'netstandard2.0'">
     <ExtensionsVersion>8.0.0</ExtensionsVersion>
     <WilsonVersion>7.1.2</WilsonVersion>
   </PropertyGroup>
-
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
     <FrameworkVersion>8.0.1</FrameworkVersion>
     <ExtensionsVersion>9.0.3</ExtensionsVersion>
-    <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion> 
+    <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion>
     <IdentityServerVersion>7.0.8</IdentityServerVersion>
   </PropertyGroup>
-
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net9.0'">
     <FrameworkVersion>9.0.0</FrameworkVersion>
     <ExtensionsVersion>9.0.3</ExtensionsVersion>
     <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion>
     <IdentityServerVersion>7.0.8</IdentityServerVersion>
   </PropertyGroup>
-
   <ItemGroup>
     <PackageVersion Include="AngleSharp" Version="1.1.2" />
     <PackageVersion Include="BullsEye" Version="5.0.0" />
@@ -36,14 +32,15 @@
     <PackageVersion Include="Microsoft.Extensions.Caching.Hybrid " Version="9.3.0" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Http" Version="$(ExtensionsVersion)" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="9.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Primitives" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Telemetry.Abstractions" Version="9.1.0" />
     <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageVersion Include="Microsoft.NETCore.Jit" Version="2.0.8" />
-    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0"/>
+    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
     <PackageVersion Include="MinVer" Version="6.0.0" />
     <PackageVersion Include="PublicApiGenerator" Version="11.1.0" />
     <PackageVersion Include="RichardSzalay.MockHttp" Version="7.0.0" />
@@ -57,4 +54,4 @@
     <PackageVersion Include="xunit.v3.core" Version="1.0.1" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
   </ItemGroup>
-</Project>
+</Project>

access-token-management/perf/Perf.DevServer.ServiceDefaults/Extensions.cs

@@ -3,7 +3,7 @@
 
 using System.Collections;
 using System.Runtime.CompilerServices;
-using Duende.AccessTokenManagement;
+using Duende.AccessTokenManagement.OTel;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.Extensions.DependencyInjection;

access-token-management/perf/Perf.TokenEndpoint/Program.cs

@@ -37,12 +37,11 @@
 services.AddClientCredentialsTokenManagement(opt => opt.CacheLifetimeBuffer = 0)
     .AddClient("c1", opt =>
     {
-        opt.TokenEndpoint = new Uri(Services.IdentityServer.ActualUri(), "/connect/token").ToString();
+        opt.TokenEndpoint = new Uri(Services.IdentityServer.ActualUri(), "/connect/token");
         opt.ClientId = "tokenendpoint";
         opt.ClientSecret = "secret";
         opt.HttpClientName = "c1";
-    })
-    .UsePreviewHybridCache();
+    });
 
 builder.Services.AddStackExchangeRedisCache(options =>
 {
@@ -90,7 +89,7 @@
 
 app.MapGet("/ok", () => "ok");
 
-app.MapGet("/token", async (IClientCredentialsTokenManagementService svc, CancellationToken ct) =>
+app.MapGet("/token", async (IClientCredentialsTokenManager svc, CancellationToken ct) =>
 {
     return await svc.GetAccessTokenAsync("c1");
 });

access-token-management/samples/BlazorServer/Plumbing/CookieEvents.cs

@@ -15,7 +15,7 @@ public class CookieEvents : CookieAuthenticationEvents
     public override async Task ValidatePrincipal(CookieValidatePrincipalContext context)
     {
         var token = await _store.GetTokenAsync(context.Principal!);
-        if (token.IsError)
+        if (!token.Succeeded)
         {
             context.RejectPrincipal();
         }

access-token-management/samples/BlazorServer/Plumbing/OidcEvents.cs

@@ -22,7 +22,9 @@ public override async Task TokenValidated(TokenValidatedContext context)
             AccessTokenType = context.TokenEndpointResponse.TokenType,
             Expiration = exp,
             RefreshToken = context.TokenEndpointResponse.RefreshToken,
-            Scope = context.TokenEndpointResponse.Scope
+            Scope = context.TokenEndpointResponse.Scope,
+            ClientId = context.ProtocolMessage.ClientId,
+            IdentityToken = context.TokenEndpointResponse.IdToken
         });
 
         await base.TokenValidated(context);

access-token-management/samples/BlazorServer/Plumbing/ServerSideTokenStore.cs

@@ -3,8 +3,10 @@
 
 using System.Collections.Concurrent;
 using System.Security.Claims;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
 
+
 namespace BlazorServer.Plumbing;
 
 /// <summary>
@@ -13,29 +15,33 @@ namespace BlazorServer.Plumbing;
 /// </summary>
 public class ServerSideTokenStore : IUserTokenStore
 {
-    private static readonly ConcurrentDictionary<string, UserToken> _tokens = new();
+    private static readonly ConcurrentDictionary<string, TokenForParameters> _tokens = new();
 
-    public Task<UserToken> GetTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null)
+    public Task<TokenResult<TokenForParameters>> GetTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null,
+        CancellationToken cancellationToken = default)
     {
         var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("no sub claim");
 
         if (_tokens.TryGetValue(sub, out var value))
         {
-            return Task.FromResult(value);
+            return Task.FromResult(TokenResult.Success(value));
         }
 
-        return Task.FromResult(new UserToken { Error = "not found" });
+        return Task.FromResult((TokenResult<TokenForParameters>)TokenResult.Failure("not found"));
     }
 
-    public Task StoreTokenAsync(ClaimsPrincipal user, UserToken token, UserTokenRequestParameters? parameters = null)
+    public Task StoreTokenAsync(ClaimsPrincipal user, UserToken token, UserTokenRequestParameters? parameters = null, CancellationToken ct = default)
     {
         var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("no sub claim");
-        _tokens[sub] = token;
+        _tokens[sub] = new TokenForParameters(token,
+            token.RefreshToken == null
+                ? null
+                : new UserRefreshToken(token.RefreshToken.Value, token.DPoPJsonWebKey));
 
         return Task.CompletedTask;
     }
 
-    public Task ClearTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null)
+    public Task ClearTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null, CancellationToken ct = default)
     {
         var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("no sub claim");
 

access-token-management/samples/Web/Controllers/HomeController.cs

@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System.Text.Json;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Duende.IdentityModel.Client;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -13,13 +15,13 @@ namespace Web.Controllers;
 public class HomeController : Controller
 {
     private readonly IHttpClientFactory _httpClientFactory;
-    private readonly IUserTokenManagementService _tokenManagementService;
+    private readonly IUserTokenManager _tokenManager;
     private readonly SampleConfiguration _configuration;
 
-    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagementService tokenManagementService, IOptions<SampleConfiguration> options)
+    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManager tokenManager, IOptions<SampleConfiguration> options)
     {
         _httpClientFactory = httpClientFactory;
-        _tokenManagementService = tokenManagementService;
+        _tokenManager = tokenManager;
         _configuration = options.Value;
     }
 
@@ -32,9 +34,9 @@ public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagement
 
     public async Task<IActionResult> CallApiAsUserManual()
     {
-        var token = await _tokenManagementService.GetAccessTokenAsync(User);
+        var token = await _tokenManager.GetAccessTokenAsync(User).GetToken();
         var client = _httpClientFactory.CreateClient();
-        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+        client.SetToken(token.AccessTokenType?.ToScheme().ToString()!, token.AccessToken.ToString());
 
         var response = await client.GetStringAsync($"{_configuration.ApiBaseUrl}test");
         ViewBag.Json = PrettyPrint(response);
@@ -44,9 +46,11 @@ public async Task<IActionResult> CallApiAsUserManual()
 
     public async Task<IActionResult> CallApiAsUserExtensionMethod()
     {
-        var token = await HttpContext.GetUserAccessTokenAsync();
+        var token = await HttpContext.GetUserAccessTokenAsync().GetToken();
         var client = _httpClientFactory.CreateClient();
-        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+        var scheme = token.AccessTokenType?.ToScheme().ToString()
+            ?? throw new InvalidOperationException("Scheme is empty");
+        client.SetToken(scheme, token.AccessToken.ToString());
 
         var response = await client.GetStringAsync($"{_configuration.ApiBaseUrl}test");
         ViewBag.Json = PrettyPrint(response);
@@ -86,9 +90,10 @@ public async Task<IActionResult> CallApiAsUserResourceIndicator()
     [AllowAnonymous]
     public async Task<IActionResult> CallApiAsClientExtensionMethod()
     {
-        var token = await HttpContext.GetClientAccessTokenAsync();
+        var token = await HttpContext.GetClientAccessTokenAsync().GetToken();
         var client = _httpClientFactory.CreateClient();
-        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+        var scheme = token.AccessTokenType?.ToScheme().ToString() ?? throw new InvalidOperationException("Scheme is empty");
+        client.SetToken(scheme, token.AccessToken.ToString());
 
         var response = await client.GetStringAsync($"{_configuration.ApiBaseUrl}test");
 

access-token-management/samples/Web/Startup.cs

@@ -3,7 +3,9 @@
 
 using System.Security.Cryptography;
 using System.Text.Json;
+using Duende.AccessTokenManagement.DPoP;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Microsoft.IdentityModel.Tokens;
 using Serilog;
 using Serilog.Events;
@@ -72,12 +74,12 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
         var rsaKey = new RsaSecurityKey(RSA.Create(2048));
         var jsonWebKey = JsonWebKeyConverter.ConvertFromRSASecurityKey(rsaKey);
         jsonWebKey.Alg = "PS256";
-        var jwk = JsonSerializer.Serialize(jsonWebKey);
+        var jwk = JsonSerializer.Serialize(jsonWebKey) ?? throw new InvalidOperationException("Failed to deserialize");
 
         builder.Services.AddOpenIdConnectAccessTokenManagement(options =>
         {
             var useDPoP = builder.Configuration.GetValue<bool>("UseDPoP");
-            options.DPoPJsonWebKey = useDPoP ? jwk : null;
+            options.DPoPJsonWebKey = useDPoP ? ProofKeyString.ParseOrDefault(jwk) : null;
         });
 
         // registers HTTP client that uses the managed user access token

access-token-management/samples/WebJarJwt/ClientAssertionService.cs

@@ -3,6 +3,7 @@
 
 using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Duende.IdentityModel;
 using Duende.IdentityModel.Client;
 using Microsoft.IdentityModel.JsonWebTokens;
@@ -36,22 +37,23 @@ public class ClientAssertionService : IClientAssertionService
     public ClientAssertionService(
         IOpenIdConnectConfigurationService configurationService) => _configurationService = configurationService;
 
-    public async Task<ClientAssertion?> GetClientAssertionAsync(string? clientName = null,
-        TokenRequestParameters? parameters = null)
+    public async Task<ClientAssertion?> GetClientAssertionAsync(ClientName? clientName = null,
+        TokenRequestParameters? parameters = null,
+        CancellationToken ct = default)
     {
-        var config = await _configurationService.GetOpenIdConnectConfigurationAsync();
+        var config = await _configurationService.GetOpenIdConnectConfigurationAsync(ct: ct);
 
         var descriptor = new SecurityTokenDescriptor
         {
-            Issuer = config.ClientId,
-            Audience = config.Authority,
+            Issuer = config.ClientId.ToString(),
+            Audience = config.TokenEndpoint.GetLeftPart(UriPartial.Authority),
             Expires = DateTime.UtcNow.AddMinutes(1),
             SigningCredentials = Credential,
 
             Claims = new Dictionary<string, object>
             {
                 { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
-                { JwtClaimTypes.Subject, config.ClientId! },
+                { JwtClaimTypes.Subject, config.ClientId.ToString()! },
                 { JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime() }
             },
 
@@ -71,7 +73,8 @@ public ClientAssertionService(
         };
     }
 
-    public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message)
+    public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message,
+        CancellationToken ct = default)
     {
         var config = await _configurationService.GetOpenIdConnectConfigurationAsync();
 
@@ -83,8 +86,8 @@ public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message)
 
         var descriptor = new SecurityTokenDescriptor
         {
-            Issuer = config.ClientId,
-            Audience = config.Authority,
+            Issuer = config.ClientId.ToString(),
+            Audience = config.TokenEndpoint.GetLeftPart(UriPartial.Authority),
             Expires = DateTime.UtcNow.AddMinutes(1),
             SigningCredentials = Credential,
 

access-token-management/samples/WebJarJwt/Controllers/HomeController.cs

@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System.Text.Json;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Duende.IdentityModel.Client;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -12,12 +14,12 @@ namespace WebJarJwt.Controllers;
 public class HomeController : Controller
 {
     private readonly IHttpClientFactory _httpClientFactory;
-    private readonly IUserTokenManagementService _tokenManagementService;
+    private readonly IUserTokenManager _tokenManager;
 
-    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagementService tokenManagementService)
+    public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManager tokenManager)
     {
         _httpClientFactory = httpClientFactory;
-        _tokenManagementService = tokenManagementService;
+        _tokenManager = tokenManager;
     }
 
     [AllowAnonymous]
@@ -29,9 +31,9 @@ public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagement
 
     public async Task<IActionResult> CallApiAsUserManual()
     {
-        var token = await _tokenManagementService.GetAccessTokenAsync(User);
+        var token = await _tokenManager.GetAccessTokenAsync(User).GetToken();
         var client = _httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken!);
+        client.SetBearerToken(token.AccessToken.ToString()!);
 
         var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
         ViewBag.Json = PrettyPrint(response);
@@ -41,9 +43,9 @@ public async Task<IActionResult> CallApiAsUserManual()
 
     public async Task<IActionResult> CallApiAsUserExtensionMethod()
     {
-        var token = await HttpContext.GetUserAccessTokenAsync();
+        var token = await HttpContext.GetUserAccessTokenAsync().GetToken();
         var client = _httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken!);
+        client.SetBearerToken(token.AccessToken.ToString());
 
         var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
         ViewBag.Json = PrettyPrint(response);
@@ -72,9 +74,9 @@ public async Task<IActionResult> CallApiAsUserFactoryTyped([FromServices] TypedU
     [AllowAnonymous]
     public async Task<IActionResult> CallApiAsClientExtensionMethod()
     {
-        var token = await HttpContext.GetClientAccessTokenAsync();
+        var token = await HttpContext.GetClientAccessTokenAsync().GetToken();
         var client = _httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken!);
+        client.SetBearerToken(token.AccessToken.ToString());
 
         var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");