Merge pull request #35 from DuendeSoftware/brock/resource-param

brockallen · web-flow · commit 951f552f4f1e · 2023-06-26T14:39:29.000-04:00
Fix bug where use of resource param is not triggering renewal
diff --git a/samples/Web/Controllers/HomeController.cs b/samples/Web/Controllers/HomeController.cs
@@ -69,6 +69,20 @@ public async Task<IActionResult> CallApiAsUserFactoryTyped([FromServices] TypedU
         return View("CallApi");
     }
 
+    [AllowAnonymous]
+    public async Task<IActionResult> CallApiAsUserResourceIndicator()
+    {
+        var token = await HttpContext.GetUserAccessTokenAsync(new UserTokenRequestParameters { Resource = "urn:resource1" });
+        var client = _httpClientFactory.CreateClient();
+        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+
+        var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
+
+        ViewBag.Json = PrettyPrint(response);
+        return View("CallApi");
+    }
+
+
     [AllowAnonymous]
     public async Task<IActionResult> CallApiAsClientExtensionMethod()
     {
@@ -81,7 +95,21 @@ public async Task<IActionResult> CallApiAsClientExtensionMethod()
         ViewBag.Json = PrettyPrint(response);
         return View("CallApi");
     }
+
+    [AllowAnonymous]
+    public async Task<IActionResult> CallApiAsClientResourceIndicator()
+    {
+        var token = await HttpContext.GetClientAccessTokenAsync(new UserTokenRequestParameters { Resource = "urn:resource1" });
+        var client = _httpClientFactory.CreateClient();
+        client.SetToken(token.AccessTokenType!, token.AccessToken!);
+
+        var response = await client.GetStringAsync("https://demo.duendesoftware.com/api/test");
+
+        ViewBag.Json = PrettyPrint(response);
+        return View("CallApi");
+    }
     
+
     [AllowAnonymous]
     public async Task<IActionResult> CallApiAsClientFactory()
     {
diff --git a/samples/Web/Properties/launchSettings.json b/samples/Web/Properties/launchSettings.json
@@ -3,7 +3,7 @@
     "Web": {
       "commandName": "Project",
       "launchBrowser": true,
-      "applicationUrl": "https://localhost:5001;http://localhost:5000",
+      "applicationUrl": "https://localhost:5002",
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development"
       }
diff --git a/samples/Web/Startup.cs b/samples/Web/Startup.cs
@@ -4,6 +4,7 @@
 using System;
 using System.Security.Cryptography;
 using System.Text.Json;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.DependencyInjection;
@@ -33,6 +34,7 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
             .AddOpenIdConnect("oidc", options =>
             {
                 options.Authority = "https://demo.duendesoftware.com";
+                //options.Authority = "https://localhost:5001";
 
                 options.ClientId = "interactive.confidential.short";
                 options.ClientSecret = "secret";
@@ -46,6 +48,7 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
                 options.Scope.Add("email");
                 options.Scope.Add("offline_access");
                 options.Scope.Add("api");
+                options.Scope.Add("resource1.scope1");
 
                 options.GetClaimsFromUserInfoEndpoint = true;
                 options.SaveTokens = true;
@@ -56,6 +59,12 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
                     NameClaimType = "name",
                     RoleClaimType = "role"
                 };
+
+                options.Events.OnRedirectToIdentityProvider = ctx => 
+                {
+                    ctx.ProtocolMessage.Resource = "urn:resource1";
+                    return Task.CompletedTask;
+                };
             });
 
         var rsaKey = new RsaSecurityKey(RSA.Create(2048));
diff --git a/samples/Web/Views/Home/Index.cshtml b/samples/Web/Views/Home/Index.cshtml
@@ -9,5 +9,7 @@
 <a href="./home/CallApiAsClientFactory">HTTP client factory</a>
 |
 <a href="./home/CallApiAsClientFactoryTyped">HTTP client factory (typed)</a>
+|
+<a href="./home/CallApiAsClientResourceIndicator">Use resource indicator</a>
 
 
diff --git a/samples/Web/Views/Home/Secure.cshtml b/samples/Web/Views/Home/Secure.cshtml
@@ -9,6 +9,8 @@
 <a href="./CallApiAsUserFactory">HTTP client factory</a>
 |
 <a href="./CallApiAsUserFactoryTyped">HTTP client factory (typed)</a>
+|
+<a href="./CallApiAsUserResourceIndicator">Use resource indicator</a>
 
 <h3>Call API as Client</h3>
 
@@ -17,7 +19,8 @@
 <a href="./CallApiAsClientFactory">HTTP client factory</a>
 |
 <a href="./CallApiAsClientFactoryTypes">HTTP client factory (typed)</a>
-
+|
+<a href="./CallApiAsClientResourceIndicator">Use resource indicator</a>
 
 <h2>Claims</h2>
 
diff --git a/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs b/src/Duende.AccessTokenManagement.OpenIdConnect/AuthenticationSessionUserTokenStore.cs
@@ -102,13 +102,14 @@ public async Task<UserToken> GetTokenAsync(
             {
                 dpopKeyName += $"::{parameters.Resource}";
             }
-            var expiresName = $"{TokenPrefix}expires_at"; string? refreshToken = null;
+            var expiresName = $"{TokenPrefix}expires_at";
             if (!string.IsNullOrEmpty(parameters.Resource))
             {
                 expiresName += $"::{parameters.Resource}";
             }
             const string refreshTokenName = $"{TokenPrefix}{OpenIdConnectParameterNames.RefreshToken}";
 
+            string? refreshToken = null;
             string? accessToken = null;
             string? accessTokenType = null;
             string? dpopKey = null;
@@ -156,7 +157,7 @@ public async Task StoreTokenAsync(
             UserToken token,
             UserTokenRequestParameters? parameters = null)
         {
-            parameters ??= new ();
+            parameters ??= new();
 
             // check the cache in case the cookie was re-issued via StoreTokenAsync
             // we use String.Empty as the key for a null SignInScheme
@@ -173,13 +174,7 @@ public async Task StoreTokenAsync(
             // in case you want to filter certain claims before re-issuing the authentication session
             var transformedPrincipal = await FilterPrincipalAsync(result.Principal!).ConfigureAwait(false);
 
-            var expiresName = "expires_at";
-            if (!string.IsNullOrEmpty(parameters.Resource))
-            {
-                expiresName += $"::{parameters.Resource}";
-            }
-
-            var tokenName = OpenIdConnectParameterNames.AccessToken;
+            var tokenName = $"{TokenPrefix}{OpenIdConnectParameterNames.AccessToken}";
             if (!string.IsNullOrEmpty(parameters.Resource))
             {
                 tokenName += $"::{parameters.Resource}";
@@ -194,7 +189,11 @@ public async Task StoreTokenAsync(
             {
                 dpopKeyName += $"::{parameters.Resource}";
             }
-
+            var expiresName = $"{TokenPrefix}expires_at";
+            if (!string.IsNullOrEmpty(parameters.Resource))
+            {
+                expiresName += $"::{parameters.Resource}";
+            }
             var refreshTokenName = $"{OpenIdConnectParameterNames.RefreshToken}";
 
             if (AppendChallengeSchemeToTokenNames(parameters))
@@ -206,13 +205,13 @@ public async Task StoreTokenAsync(
                 expiresName += $"||{parameters.ChallengeScheme}";
             }
 
-            result.Properties!.Items[$"{TokenPrefix}{tokenName}"] = token.AccessToken;
-            result.Properties!.Items[$"{TokenPrefix}{tokenTypeName}"] = token.AccessTokenType;
+            result.Properties!.Items[tokenName] = token.AccessToken;
+            result.Properties!.Items[tokenTypeName] = token.AccessTokenType;
             if (token.DPoPJsonWebKey != null)
             {
-                result.Properties!.Items[$"{TokenPrefix}{dpopKeyName}"] = token.DPoPJsonWebKey;
+                result.Properties!.Items[dpopKeyName] = token.DPoPJsonWebKey;
             }
-            result.Properties!.Items[$"{TokenPrefix}{expiresName}"] = token.Expiration.ToString("o", CultureInfo.InvariantCulture);
+            result.Properties!.Items[expiresName] = token.Expiration.ToString("o", CultureInfo.InvariantCulture);
 
             if (token.RefreshToken != null)
             {
diff --git a/src/Duende.AccessTokenManagement.OpenIdConnect/UserAccessTokenManagementService.cs b/src/Duende.AccessTokenManagement.OpenIdConnect/UserAccessTokenManagementService.cs
@@ -83,15 +83,16 @@ public async Task<UserToken> GetAccessTokenAsync(
             return userToken;
         }
 
-        if (userToken.AccessToken.IsMissing() && userToken.RefreshToken.IsPresent())
+        var needsRenewal = userToken.AccessToken.IsMissing() && userToken.RefreshToken.IsPresent();
+        if (needsRenewal)
         {
             _logger.LogDebug(
                 "No access token found in user token store for user {user} / resource {resource}. Trying to refresh.",
                 userName, parameters.Resource ?? "default");
         }
 
         var dtRefresh = userToken.Expiration.Subtract(_options.RefreshBeforeExpiration);
-        if (dtRefresh < _clock.UtcNow || parameters.ForceRenewal)
+        if (dtRefresh < _clock.UtcNow || parameters.ForceRenewal || needsRenewal)
         {
             _logger.LogDebug("Token for user {user} needs refreshing.", userName);
 
diff --git a/test/Tests/UserTokenManagementTests.cs b/test/Tests/UserTokenManagementTests.cs
@@ -262,7 +262,7 @@ public async Task Short_token_lifetime_should_trigger_refresh()
         token.ShouldNotBeNull();
         token.IsError.ShouldBeFalse();
         token.AccessToken.ShouldBe("refreshed2_access_token");
-        token.AccessTokenType.ShouldBe("token_type");
+        token.AccessTokenType.ShouldBe("token_type2");
         token.RefreshToken.ShouldBe("refreshed2_refresh_token");
         token.Expiration.ShouldNotBe(DateTimeOffset.MaxValue);
     }

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"Web": {`
`4`	`4`	`"commandName": "Project",`
`5`	`5`	`"launchBrowser": true,`
`6`		`- "applicationUrl": "https://localhost:5001;http://localhost:5000",`
	`6`	`+ "applicationUrl": "https://localhost:5002",`
`7`	`7`	`"environmentVariables": {`
`8`	`8`	`"ASPNETCORE_ENVIRONMENT": "Development"`
`9`	`9`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,5 +9,7 @@`
`9`	`9`	`<a href="./home/CallApiAsClientFactory">HTTP client factory</a>`
`10`	`10`	`\|`
`11`	`11`	`<a href="./home/CallApiAsClientFactoryTyped">HTTP client factory (typed)</a>`
	`12`	`+\|`
	`13`	`+<a href="./home/CallApiAsClientResourceIndicator">Use resource indicator</a>`
`12`	`14`
`13`	`15`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@`
`9`	`9`	`<a href="./CallApiAsUserFactory">HTTP client factory</a>`
`10`	`10`	`\|`
`11`	`11`	`<a href="./CallApiAsUserFactoryTyped">HTTP client factory (typed)</a>`
	`12`	`+\|`
	`13`	`+<a href="./CallApiAsUserResourceIndicator">Use resource indicator</a>`
`12`	`14`
`13`	`15`	`<h3>Call API as Client</h3>`
`14`	`16`
`@@ -17,7 +19,8 @@`
`17`	`19`	`<a href="./CallApiAsClientFactory">HTTP client factory</a>`
`18`	`20`	`\|`
`19`	`21`	`<a href="./CallApiAsClientFactoryTypes">HTTP client factory (typed)</a>`
`20`		`-`
	`22`	`+\|`
	`23`	`+<a href="./CallApiAsClientResourceIndicator">Use resource indicator</a>`
`21`	`24`
`22`	`25`	`<h2>Claims</h2>`
`23`	`26`
Original file line number	Diff line number	Diff line change
`@@ -102,13 +102,14 @@ public async Task<UserToken> GetTokenAsync(`
`102`	`102`	`{`
`103`	`103`	`dpopKeyName += $"::{parameters.Resource}";`
`104`	`104`	`}`
`105`		`- var expiresName = $"{TokenPrefix}expires_at"; string? refreshToken = null;`
	`105`	`+ var expiresName = $"{TokenPrefix}expires_at";`
`106`	`106`	`if (!string.IsNullOrEmpty(parameters.Resource))`
`107`	`107`	`{`
`108`	`108`	`expiresName += $"::{parameters.Resource}";`
`109`	`109`	`}`
`110`	`110`	`const string refreshTokenName = $"{TokenPrefix}{OpenIdConnectParameterNames.RefreshToken}";`
`111`	`111`
	`112`	`+ string? refreshToken = null;`
`112`	`113`	`string? accessToken = null;`
`113`	`114`	`string? accessTokenType = null;`
`114`	`115`	`string? dpopKey = null;`
`@@ -156,7 +157,7 @@ public async Task StoreTokenAsync(`
`156`	`157`	`UserToken token,`
`157`	`158`	`UserTokenRequestParameters? parameters = null)`
`158`	`159`	`{`
`159`		`- parameters ??= new ();`
	`160`	`+ parameters ??= new();`
`160`	`161`
`161`	`162`	`// check the cache in case the cookie was re-issued via StoreTokenAsync`
`162`	`163`	`// we use String.Empty as the key for a null SignInScheme`
`@@ -173,13 +174,7 @@ public async Task StoreTokenAsync(`
`173`	`174`	`// in case you want to filter certain claims before re-issuing the authentication session`
`174`	`175`	`var transformedPrincipal = await FilterPrincipalAsync(result.Principal!).ConfigureAwait(false);`
`175`	`176`
`176`		`- var expiresName = "expires_at";`
`177`		`- if (!string.IsNullOrEmpty(parameters.Resource))`
`178`		`- {`
`179`		`- expiresName += $"::{parameters.Resource}";`
`180`		`- }`
`181`		`-`
`182`		`- var tokenName = OpenIdConnectParameterNames.AccessToken;`
	`177`	`+ var tokenName = $"{TokenPrefix}{OpenIdConnectParameterNames.AccessToken}";`
`183`	`178`	`if (!string.IsNullOrEmpty(parameters.Resource))`
`184`	`179`	`{`
`185`	`180`	`tokenName += $"::{parameters.Resource}";`
`@@ -194,7 +189,11 @@ public async Task StoreTokenAsync(`
`194`	`189`	`{`
`195`	`190`	`dpopKeyName += $"::{parameters.Resource}";`
`196`	`191`	`}`
`197`		`-`
	`192`	`+ var expiresName = $"{TokenPrefix}expires_at";`
	`193`	`+ if (!string.IsNullOrEmpty(parameters.Resource))`
	`194`	`+ {`
	`195`	`+ expiresName += $"::{parameters.Resource}";`
	`196`	`+ }`
`198`	`197`	`var refreshTokenName = $"{OpenIdConnectParameterNames.RefreshToken}";`
`199`	`198`
`200`	`199`	`if (AppendChallengeSchemeToTokenNames(parameters))`
`@@ -206,13 +205,13 @@ public async Task StoreTokenAsync(`
`206`	`205`	`expiresName += $"\|\|{parameters.ChallengeScheme}";`
`207`	`206`	`}`
`208`	`207`
`209`		`- result.Properties!.Items[$"{TokenPrefix}{tokenName}"] = token.AccessToken;`
`210`		`- result.Properties!.Items[$"{TokenPrefix}{tokenTypeName}"] = token.AccessTokenType;`
	`208`	`+ result.Properties!.Items[tokenName] = token.AccessToken;`
	`209`	`+ result.Properties!.Items[tokenTypeName] = token.AccessTokenType;`
`211`	`210`	`if (token.DPoPJsonWebKey != null)`
`212`	`211`	`{`
`213`		`- result.Properties!.Items[$"{TokenPrefix}{dpopKeyName}"] = token.DPoPJsonWebKey;`
	`212`	`+ result.Properties!.Items[dpopKeyName] = token.DPoPJsonWebKey;`
`214`	`213`	`}`
`215`		`- result.Properties!.Items[$"{TokenPrefix}{expiresName}"] = token.Expiration.ToString("o", CultureInfo.InvariantCulture);`
	`214`	`+ result.Properties!.Items[expiresName] = token.Expiration.ToString("o", CultureInfo.InvariantCulture);`
`216`	`215`
`217`	`216`	`if (token.RefreshToken != null)`
`218`	`217`	`{`
Original file line number	Diff line number	Diff line change
`@@ -83,15 +83,16 @@ public async Task<UserToken> GetAccessTokenAsync(`
`83`	`83`	`return userToken;`
`84`	`84`	`}`
`85`	`85`
`86`		`- if (userToken.AccessToken.IsMissing() && userToken.RefreshToken.IsPresent())`
	`86`	`+ var needsRenewal = userToken.AccessToken.IsMissing() && userToken.RefreshToken.IsPresent();`
	`87`	`+ if (needsRenewal)`
`87`	`88`	`{`
`88`	`89`	`_logger.LogDebug(`
`89`	`90`	`"No access token found in user token store for user {user} / resource {resource}. Trying to refresh.",`
`90`	`91`	`userName, parameters.Resource ?? "default");`
`91`	`92`	`}`
`92`	`93`
`93`	`94`	`var dtRefresh = userToken.Expiration.Subtract(_options.RefreshBeforeExpiration);`
`94`		`- if (dtRefresh < _clock.UtcNow \|\| parameters.ForceRenewal)`
	`95`	`+ if (dtRefresh < _clock.UtcNow \|\| parameters.ForceRenewal \|\| needsRenewal)`
`95`	`96`	`{`
`96`	`97`	`_logger.LogDebug("Token for user {user} needs refreshing.", userName);`
`97`	`98`
Original file line number	Diff line number	Diff line change
`@@ -262,7 +262,7 @@ public async Task Short_token_lifetime_should_trigger_refresh()`
`262`	`262`	`token.ShouldNotBeNull();`
`263`	`263`	`token.IsError.ShouldBeFalse();`
`264`	`264`	`token.AccessToken.ShouldBe("refreshed2_access_token");`
`265`		`- token.AccessTokenType.ShouldBe("token_type");`
	`265`	`+ token.AccessTokenType.ShouldBe("token_type2");`
`266`	`266`	`token.RefreshToken.ShouldBe("refreshed2_refresh_token");`
`267`	`267`	`token.Expiration.ShouldNotBe(DateTimeOffset.MaxValue);`
`268`	`268`	`}`