first stab at v4

Author: Erwinvandervalk

Directory.Packages.props

@@ -2,26 +2,22 @@
   <PropertyGroup>
     <WilsonVersion>7.1.2</WilsonVersion>
   </PropertyGroup>
-
   <PropertyGroup Condition=" '$(TargetFramework)' == 'netstandard2.0'">
     <ExtensionsVersion>8.0.0</ExtensionsVersion>
     <WilsonVersion>7.1.2</WilsonVersion>
   </PropertyGroup>
-
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
     <FrameworkVersion>8.0.1</FrameworkVersion>
     <ExtensionsVersion>9.0.3</ExtensionsVersion>
-    <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion> 
+    <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion>
     <IdentityServerVersion>7.0.8</IdentityServerVersion>
   </PropertyGroup>
-
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net9.0'">
     <FrameworkVersion>9.0.0</FrameworkVersion>
     <ExtensionsVersion>9.0.3</ExtensionsVersion>
     <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion>
     <IdentityServerVersion>7.0.8</IdentityServerVersion>
   </PropertyGroup>
-
   <ItemGroup>
     <PackageVersion Include="AngleSharp" Version="1.1.2" />
     <PackageVersion Include="BullsEye" Version="5.0.0" />
@@ -36,14 +32,15 @@
     <PackageVersion Include="Microsoft.Extensions.Caching.Hybrid " Version="9.3.0" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Http" Version="$(ExtensionsVersion)" />
+    <PackageVersion Include="Microsoft.Extensions.Http.Resilience" Version="9.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Primitives" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Telemetry.Abstractions" Version="9.1.0" />
     <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
     <PackageVersion Include="Microsoft.NETCore.Jit" Version="2.0.8" />
-    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0"/>
+    <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0" />
     <PackageVersion Include="MinVer" Version="6.0.0" />
     <PackageVersion Include="PublicApiGenerator" Version="11.1.0" />
     <PackageVersion Include="RichardSzalay.MockHttp" Version="7.0.0" />
@@ -54,6 +51,7 @@
     <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     <PackageVersion Include="Verify.XunitV3" Version="28.9.0" />
+    <PackageVersion Include="Vogen" Version="7.0.3" />
     <PackageVersion Include="xunit.v3.core" Version="1.0.1" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
   </ItemGroup>

access-token-management/perf/Perf.DevServer.ServiceDefaults/Extensions.cs

@@ -3,7 +3,7 @@
 
 using System.Collections;
 using System.Runtime.CompilerServices;
-using Duende.AccessTokenManagement;
+using Duende.AccessTokenManagement.OTel;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.Extensions.DependencyInjection;

access-token-management/perf/Perf.TokenEndpoint/Program.cs

@@ -37,12 +37,11 @@
 services.AddClientCredentialsTokenManagement(opt => opt.CacheLifetimeBuffer = 0)
     .AddClient("c1", opt =>
     {
-        opt.TokenEndpoint = new Uri(Services.IdentityServer.ActualUri(), "/connect/token").ToString();
+        opt.TokenEndpoint = new Uri(Services.IdentityServer.ActualUri(), "/connect/token");
         opt.ClientId = "tokenendpoint";
         opt.ClientSecret = "secret";
         opt.HttpClientName = "c1";
-    })
-    .UsePreviewHybridCache();
+    });
 
 builder.Services.AddStackExchangeRedisCache(options =>
 {

access-token-management/samples/BlazorServer/Plumbing/OidcEvents.cs

@@ -22,7 +22,9 @@ public override async Task TokenValidated(TokenValidatedContext context)
             AccessTokenType = context.TokenEndpointResponse.TokenType,
             Expiration = exp,
             RefreshToken = context.TokenEndpointResponse.RefreshToken,
-            Scope = context.TokenEndpointResponse.Scope
+            Scope = context.TokenEndpointResponse.Scope,
+            ClientId = context.ProtocolMessage.ClientId,
+            IdentityToken = context.TokenEndpointResponse.IdToken
         });
 
         await base.TokenValidated(context);

access-token-management/samples/BlazorServer/Plumbing/ServerSideTokenStore.cs

@@ -3,8 +3,10 @@
 
 using System.Collections.Concurrent;
 using System.Security.Claims;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
 
+
 namespace BlazorServer.Plumbing;
 
 /// <summary>
@@ -13,29 +15,33 @@ namespace BlazorServer.Plumbing;
 /// </summary>
 public class ServerSideTokenStore : IUserTokenStore
 {
-    private static readonly ConcurrentDictionary<string, UserToken> _tokens = new();
+    private static readonly ConcurrentDictionary<string, TokenForParameters> _tokens = new();
 
-    public Task<UserToken> GetTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null)
+    public Task<TokenResult<TokenForParameters>> GetTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null,
+        CancellationToken cancellationToken = default)
     {
         var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("no sub claim");
 
         if (_tokens.TryGetValue(sub, out var value))
         {
-            return Task.FromResult(value);
+            return Task.FromResult(TokenResult.Success(value));
         }
 
-        return Task.FromResult(new UserToken { Error = "not found" });
+        return Task.FromResult((TokenResult<TokenForParameters>)TokenResult.Failure("not found"));
     }
 
-    public Task StoreTokenAsync(ClaimsPrincipal user, UserToken token, UserTokenRequestParameters? parameters = null)
+    public Task StoreTokenAsync(ClaimsPrincipal user, UserToken token, UserTokenRequestParameters? parameters = null, CancellationToken ct = default)
     {
         var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("no sub claim");
-        _tokens[sub] = token;
+        _tokens[sub] = new TokenForParameters(token,
+            token.RefreshToken == null
+                ? null
+                : new UserRefreshToken(token.RefreshToken.Value, token.DPoPJsonWebKey));
 
         return Task.CompletedTask;
     }
 
-    public Task ClearTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null)
+    public Task ClearTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null, CancellationToken ct = default)
     {
         var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("no sub claim");
 

access-token-management/samples/Web/Controllers/HomeController.cs

@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System.Text.Json;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Duende.IdentityModel.Client;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -32,9 +34,9 @@ public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagement
 
     public async Task<IActionResult> CallApiAsUserManual()
     {
-        var token = await _tokenManagementService.GetAccessTokenAsync(User);
+        UserToken token = await _tokenManagementService.GetAccessTokenAsync(User);
         var client = _httpClientFactory.CreateClient();
-        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+        client.SetToken(token.AccessTokenType?.ToScheme().ToString()!, token.AccessToken.ToString());
 
         var response = await client.GetStringAsync($"{_configuration.ApiBaseUrl}test");
         ViewBag.Json = PrettyPrint(response);
@@ -44,9 +46,11 @@ public async Task<IActionResult> CallApiAsUserManual()
 
     public async Task<IActionResult> CallApiAsUserExtensionMethod()
     {
-        var token = await HttpContext.GetUserAccessTokenAsync();
+        UserToken token = await HttpContext.GetUserAccessTokenAsync();
         var client = _httpClientFactory.CreateClient();
-        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+        var scheme = token.AccessTokenType?.ToScheme().ToString()
+            ?? throw new InvalidOperationException("Scheme is empty");
+        client.SetToken(scheme, token.AccessToken.ToString());
 
         var response = await client.GetStringAsync($"{_configuration.ApiBaseUrl}test");
         ViewBag.Json = PrettyPrint(response);
@@ -86,9 +90,10 @@ public async Task<IActionResult> CallApiAsUserResourceIndicator()
     [AllowAnonymous]
     public async Task<IActionResult> CallApiAsClientExtensionMethod()
     {
-        var token = await HttpContext.GetClientAccessTokenAsync();
+        ClientCredentialsToken token = await HttpContext.GetClientAccessTokenAsync();
         var client = _httpClientFactory.CreateClient();
-        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+        var scheme = token.AccessTokenType?.ToScheme().ToString() ?? throw new InvalidOperationException("Scheme is empty");
+        client.SetToken(scheme, token.AccessToken.ToString());
 
         var response = await client.GetStringAsync($"{_configuration.ApiBaseUrl}test");
 

access-token-management/samples/Web/Startup.cs

@@ -3,7 +3,9 @@
 
 using System.Security.Cryptography;
 using System.Text.Json;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Microsoft.IdentityModel.Tokens;
 using Serilog;
 using Serilog.Events;
@@ -72,12 +74,12 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
         var rsaKey = new RsaSecurityKey(RSA.Create(2048));
         var jsonWebKey = JsonWebKeyConverter.ConvertFromRSASecurityKey(rsaKey);
         jsonWebKey.Alg = "PS256";
-        var jwk = JsonSerializer.Serialize(jsonWebKey);
+        var jwk = JsonSerializer.Serialize(jsonWebKey) ?? throw new InvalidOperationException("Failed to deserialize");
 
         builder.Services.AddOpenIdConnectAccessTokenManagement(options =>
         {
             var useDPoP = builder.Configuration.GetValue<bool>("UseDPoP");
-            options.DPoPJsonWebKey = useDPoP ? jwk : null;
+            options.DPoPJsonWebKey = useDPoP ? DPoPJsonWebKey.Parse(jwk) : null;
         });
 
         // registers HTTP client that uses the managed user access token

access-token-management/samples/WebJarJwt/ClientAssertionService.cs

@@ -3,6 +3,7 @@
 
 using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Duende.IdentityModel;
 using Duende.IdentityModel.Client;
 using Microsoft.IdentityModel.JsonWebTokens;
@@ -36,22 +37,23 @@ public class ClientAssertionService : IClientAssertionService
     public ClientAssertionService(
         IOpenIdConnectConfigurationService configurationService) => _configurationService = configurationService;
 
-    public async Task<ClientAssertion?> GetClientAssertionAsync(string? clientName = null,
-        TokenRequestParameters? parameters = null)
+    public async Task<ClientAssertion?> GetClientAssertionAsync(ClientName? clientName = null,
+        TokenRequestParameters? parameters = null,
+        CancellationToken ct = default)
     {
-        var config = await _configurationService.GetOpenIdConnectConfigurationAsync();
+        var config = await _configurationService.GetOpenIdConnectConfigurationAsync(ct: ct);
 
         var descriptor = new SecurityTokenDescriptor
         {
-            Issuer = config.ClientId,
-            Audience = config.Authority,
+            Issuer = config.ClientId.ToString(),
+            Audience = config.TokenEndpoint.GetLeftPart(UriPartial.Authority),
             Expires = DateTime.UtcNow.AddMinutes(1),
             SigningCredentials = Credential,
 
             Claims = new Dictionary<string, object>
             {
                 { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
-                { JwtClaimTypes.Subject, config.ClientId! },
+                { JwtClaimTypes.Subject, config.ClientId.ToString()! },
                 { JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime() }
             },
 
@@ -71,7 +73,8 @@ public ClientAssertionService(
         };
     }
 
-    public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message)
+    public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message,
+        CancellationToken ct = default)
     {
         var config = await _configurationService.GetOpenIdConnectConfigurationAsync();
 
@@ -83,8 +86,8 @@ public async Task<string> SignAuthorizeRequest(OpenIdConnectMessage message)
 
         var descriptor = new SecurityTokenDescriptor
         {
-            Issuer = config.ClientId,
-            Audience = config.Authority,
+            Issuer = config.ClientId.ToString(),
+            Audience = config.TokenEndpoint.GetLeftPart(UriPartial.Authority),
             Expires = DateTime.UtcNow.AddMinutes(1),
             SigningCredentials = Credential,
 

access-token-management/samples/WebJarJwt/Controllers/HomeController.cs

@@ -2,7 +2,9 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System.Text.Json;
+using Duende.AccessTokenManagement;
 using Duende.AccessTokenManagement.OpenIdConnect;
+
 using Duende.IdentityModel.Client;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -29,9 +31,9 @@ public HomeController(IHttpClientFactory httpClientFactory, IUserTokenManagement
 
     public async Task<IActionResult> CallApiAsUserManual()
     {
-        var token = await _tokenManagementService.GetAccessTokenAsync(User);
+        UserToken token = await _tokenManagementService.GetAccessTokenAsync(User);
         var client = _httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken!);
+        client.SetBearerToken(token.AccessToken.ToString()!);
 
         var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
         ViewBag.Json = PrettyPrint(response);
@@ -41,9 +43,9 @@ public async Task<IActionResult> CallApiAsUserManual()
 
     public async Task<IActionResult> CallApiAsUserExtensionMethod()
     {
-        var token = await HttpContext.GetUserAccessTokenAsync();
+        UserToken token = await HttpContext.GetUserAccessTokenAsync();
         var client = _httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken!);
+        client.SetBearerToken(token.AccessToken.ToString());
 
         var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
         ViewBag.Json = PrettyPrint(response);
@@ -72,9 +74,9 @@ public async Task<IActionResult> CallApiAsUserFactoryTyped([FromServices] TypedU
     [AllowAnonymous]
     public async Task<IActionResult> CallApiAsClientExtensionMethod()
     {
-        var token = await HttpContext.GetClientAccessTokenAsync();
+        ClientCredentialsToken token = await HttpContext.GetClientAccessTokenAsync();
         var client = _httpClientFactory.CreateClient();
-        client.SetBearerToken(token.AccessToken!);
+        client.SetBearerToken(token.AccessToken.ToString());
 
         var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
 

access-token-management/samples/Worker/ClientAssertionService.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using Duende.AccessTokenManagement;
+
 using Duende.IdentityModel;
 using Duende.IdentityModel.Client;
 using Microsoft.Extensions.Options;
@@ -10,10 +11,8 @@
 
 namespace WorkerService;
 
-public class ClientAssertionService : IClientAssertionService
+public class ClientAssertionService(IOptionsMonitor<ClientCredentialsClient> options) : IClientAssertionService
 {
-    private readonly IOptionsMonitor<ClientCredentialsClient> _options;
-
     private static string RsaKey =
         """
         {
@@ -32,25 +31,23 @@ public class ClientAssertionService : IClientAssertionService
 
     private static SigningCredentials Credential = new(new JsonWebKey(RsaKey), "RS256");
 
-    public ClientAssertionService(IOptionsMonitor<ClientCredentialsClient> options) => _options = options;
-
-    public Task<ClientAssertion?> GetClientAssertionAsync(string? clientName = null, TokenRequestParameters? parameters = null)
+    public Task<ClientAssertion?> GetClientAssertionAsync(ClientName? clientName, TokenRequestParameters? parameters = null, CancellationToken ct = default)
     {
         if (clientName == "demo.jwt")
         {
-            var options = _options.Get(clientName);
+            var options1 = options.Get(clientName.ToString());
 
             var descriptor = new SecurityTokenDescriptor
             {
-                Issuer = options.ClientId,
-                Audience = options.TokenEndpoint,
+                Issuer = options1.ClientId?.ToString(),
+                Audience = options1.TokenEndpoint?.ToString(),
                 Expires = DateTime.UtcNow.AddMinutes(1),
                 SigningCredentials = Credential,
 
                 Claims = new Dictionary<string, object>
                 {
                     { JwtClaimTypes.JwtId, Guid.NewGuid().ToString() },
-                    { JwtClaimTypes.Subject, options.ClientId! },
+                    { JwtClaimTypes.Subject, options1.ClientId?.ToString()! },
                     { JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime() }
                 }
             };

access-token-management/samples/Worker/Program.cs

@@ -34,7 +34,7 @@ public static IHostBuilder CreateHostBuilder(string[] args)
                 services.AddClientCredentialsTokenManagement()
                     .AddClient("demo", client =>
                     {
-                        client.TokenEndpoint = "https://demo.duendesoftware.com/connect/token";
+                        client.TokenEndpoint = new Uri("https://demo.duendesoftware.com/connect/token");
 
                         client.ClientId = "m2m.short";
                         client.ClientSecret = "secret";
@@ -43,7 +43,7 @@ public static IHostBuilder CreateHostBuilder(string[] args)
                     })
                     .AddClient("demo.dpop", client =>
                     {
-                        client.TokenEndpoint = "https://demo.duendesoftware.com/connect/token";
+                        client.TokenEndpoint = new Uri("https://demo.duendesoftware.com/connect/token");
                         //client.TokenEndpoint = "https://localhost:5001/connect/token";
 
                         client.ClientId = "m2m.dpop";
@@ -55,7 +55,7 @@ public static IHostBuilder CreateHostBuilder(string[] args)
                     })
                     .AddClient("demo.jwt", client =>
                     {
-                        client.TokenEndpoint = "https://demo.duendesoftware.com/connect/token";
+                        client.TokenEndpoint = new Uri("https://demo.duendesoftware.com/connect/token");
                         client.ClientId = "m2m.short.jwt";
 
                         client.Scope = "api";