Merge pull request #30 from DuendeSoftware/brock/dpop-worker-host

DPoP fixes

Author: leastprivilege

Diff for: samples/Web/Startup.cs

@@ -2,6 +2,8 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System;
+using System.Security.Cryptography;
+using System.Text.Json;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.DependencyInjection;
@@ -56,15 +58,24 @@ internal static WebApplication ConfigureServices(this WebApplicationBuilder buil
                 };
             });
 
+        var rsaKey = new RsaSecurityKey(RSA.Create(2048));
+        var jsonWebKey = JsonWebKeyConverter.ConvertFromRSASecurityKey(rsaKey);
+        jsonWebKey.Alg = "PS256";
+        var jwk = JsonSerializer.Serialize(jsonWebKey);
+        
         builder.Services.AddOpenIdConnectAccessTokenManagement(options => 
         {
-            //const string jwk = "{\"Alg\":\"RS256\",\"Crv\":null,\"D\":\"QeBWodq0hSYjfAxxo0VZleXLqwwZZeNWvvFfES4WyItao_-OJv1wKA7zfkZxbWkpK5iRbKrl2AMJ52AtUo5JJ6QZ7IjAQlgM0lBg3ltjb1aA0gBsK5XbiXcsV8DiAnRuy6-XgjAKPR8Lo-wZl_fdPbVoAmpSdmfn_6QXXPBai5i7FiyDbQa16pI6DL-5SCj7F78QDTRiJOqn5ElNvtoJEfJBm13giRdqeriFi3pCWo7H3QBgTEWtDNk509z4w4t64B2HTXnM0xj9zLnS42l7YplJC7MRibD4nVBMtzfwtGRKLj8beuDgtW9pDlQqf7RVWX5pHQgiHAZmUi85TEbYdQ\",\"DP\":\"h2F54OMaC9qq1yqR2b55QNNaChyGtvmTHSdqZJ8lJFqvUorlz-Uocj2BTowWQnaMd8zRKMdKlSeUuSv4Z6WmjSxSsNbonI6_II5XlZLWYqFdmqDS-xCmJY32voT5Wn7OwB9xj1msDqrFPg-PqSBOh5OppjCqXqDFcNvSkQSajXc\",\"DQ\":\"VABdS20Nxkmq6JWLQj7OjRxVJuYsHrfmWJmDA7_SYtlXaPUcg-GiHGQtzdDWEeEi0dlJjv9I3FdjKGC7CGwqtVygW38DzVYJsV2EmRNJc1-j-1dRs_pK9GWR4NYm0mVz_IhS8etIf9cfRJk90xU3AL3_J6p5WNF7I5ctkLpnt8M\",\"E\":\"AQAB\",\"K\":null,\"KeyOps\":[],\"Kty\":\"RSA\",\"N\":\"yWWAOSV3Z_BW9rJEFvbZyeU-q2mJWC0l8WiHNqwVVf7qXYgm9hJC0j1aPHku_Wpl38DpK3Xu3LjWOFG9OrCqga5Pzce3DDJKI903GNqz5wphJFqweoBFKOjj1wegymvySsLoPqqDNVYTKp4nVnECZS4axZJoNt2l1S1bC8JryaNze2stjW60QT-mIAGq9konKKN3URQ12dr478m0Oh-4WWOiY4HrXoSOklFmzK-aQx1JV_SZ04eIGfSw1pZZyqTaB1BwBotiy-QA03IRxwIXQ7BSx5EaxC5uMCMbzmbvJqjt-q8Y1wyl-UQjRucgp7hkfHSE1QT3zEex2Q3NFux7SQ\",\"Oth\":null,\"P\":\"_T7MTkeOh5QyqlYCtLQ2RWf2dAJ9i3wrCx4nEDm1c1biijhtVTL7uJTLxwQIM9O2PvOi5Dq-UiGy6rhHZqf5akWTeHtaNyI-2XslQfaS3ctRgmGtRQL_VihK-R9AQtDx4eWL4h-bDJxPaxby_cVo_j2MX5AeoC1kNmcCdDf_X0M\",\"Q\":\"y5ZSThaGLjaPj8Mk2nuD8TiC-sb4aAZVh9K-W4kwaWKfDNoPcNb_dephBNMnOp9M1br6rDbyG7P-Sy_LOOsKg3Q0wHqv4hnzGaOQFeMJH4HkXYdENC7B5JG9PefbC6zwcgZWiBnsxgKpScNWuzGF8x2CC-MdsQ1bkQeTPbJklIM\",\"QI\":\"i716Vt9II_Rt6qnjsEhfE4bej52QFG9a1hSnx5PDNvRrNqR_RpTA0lO9qeXSZYGHTW_b6ZXdh_0EUwRDEDHmaxjkIcTADq6JLuDltOhZuhLUSc5NCKLAVCZlPcaSzv8-bZm57mVcIpx0KyFHxvk50___Jgx1qyzwLX03mPGUbDQ\",\"Use\":null,\"X\":null,\"X5c\":[],\"X5t\":null,\"X5tS256\":null,\"X5u\":null,\"Y\":null,\"KeySize\":2048,\"HasPrivateKey\":true,\"CryptoProviderFactory\":{\"CryptoProviderCache\":{},\"CustomCryptoProvider\":null,\"CacheSignatureProviders\":true,\"SignatureProviderObjectPoolCacheSize\":80}}";
+            // if you uncomment this line, then be sure to change the URL for the "user_client"
+            // to include "dpop/" at the end, since that's the DPoP enabled API path
             //options.DPoPJsonWebKey = jwk;
         });
 
         // registers HTTP client that uses the managed user access token
         builder.Services.AddUserAccessTokenHttpClient("user_client",
-            configureClient: client => { client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/"); });
+            configureClient: client => {
+                client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/");
+                //client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/dpop/");
+            });
 
         // registers HTTP client that uses the managed client access token
         builder.Services.AddClientAccessTokenHttpClient("client",

Diff for: samples/Worker/Program.cs

@@ -4,6 +4,9 @@
 using System;
 using Duende.AccessTokenManagement;
 using Serilog.Sinks.SystemConsole.Themes;
+using Microsoft.IdentityModel.Tokens;
+using System.Security.Cryptography;
+using System.Text.Json;
 
 namespace WorkerService;
 
@@ -38,34 +41,62 @@ public static IHostBuilder CreateHostBuilder(string[] args)
 
                         client.Scope = "api";
                     })
+                    .AddClient("demo.dpop", client =>
+                    {
+                        client.TokenEndpoint = "https://demo.duendesoftware.com/connect/token";
+                        //client.TokenEndpoint = "https://localhost:5001/connect/token";
+
+                        client.ClientId = "m2m.dpop";
+                        //client.ClientId = "m2m.dpop.nonce";
+                        client.ClientSecret = "secret";
+
+                        client.Scope = "api";
+                        client.DPoPJsonWebKey = CreateDPoPKey();
+                    })
                     .AddClient("demo.jwt", client =>
                     {
                         client.TokenEndpoint = "https://demo.duendesoftware.com/connect/token";
                         client.ClientId = "m2m.short.jwt";
 
                         client.Scope = "api";
                     });
-                
+
                 services.AddClientCredentialsHttpClient("client", "demo", client =>
                 {
                     client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/");
                 });
-                
+
+                services.AddClientCredentialsHttpClient("client.dpop", "demo.dpop", client =>
+                {
+                    //client.BaseAddress = new Uri("https://localhost:5001/api/dpop/");
+                    client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/dpop/");
+                });
+
                 services.AddHttpClient<TypedClient>(client =>
                     {
                         client.BaseAddress = new Uri("https://demo.duendesoftware.com/api/");
                     })
                     .AddClientCredentialsTokenHandler("demo");
 
                 services.AddTransient<IClientAssertionService, ClientAssertionService>();
-                
+
                 //services.AddHostedService<WorkerManual>();
-                services.AddHostedService<WorkerManualJwt>();
+                //services.AddHostedService<WorkerManualJwt>();
                 //services.AddHostedService<WorkerHttpClient>();
                 //services.AddHostedService<WorkerTypedHttpClient>();
+                services.AddHostedService<WorkerDPoPHttpClient>();
             });
 
         return host;
     }
-            
+
+    private static string CreateDPoPKey()
+    {
+        var key = new RsaSecurityKey(RSA.Create(2048));
+        var jwk = JsonWebKeyConverter.ConvertFromRSASecurityKey(key);
+        jwk.Alg = "PS256";
+        var jwkJson = JsonSerializer.Serialize(jwk);
+        return jwkJson;
+    }
+
 }

Diff for: samples/Worker/WorkerDPoPHttpClient.cs

@@ -0,0 +1,49 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using System;
+using System.Net.Http;
+using System.Threading;
+using System.Threading.Tasks;
+
+namespace WorkerService;
+
+public class WorkerDPoPHttpClient : BackgroundService
+{
+    private readonly ILogger<WorkerDPoPHttpClient> _logger;
+    private readonly IHttpClientFactory _clientFactory;
+
+    public WorkerDPoPHttpClient(ILogger<WorkerDPoPHttpClient> logger, IHttpClientFactory factory)
+    {
+        _logger = logger;
+        _clientFactory = factory;
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        await Task.Delay(2000, stoppingToken);
+            
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            Console.WriteLine("\n\n");
+            _logger.LogInformation("WorkerHttpClient running at: {time}", DateTimeOffset.Now);
+
+            var client = _clientFactory.CreateClient("client.dpop");
+            var response = await client.GetAsync("test?x=1", stoppingToken);
+                
+            if (response.IsSuccessStatusCode)
+            {
+                var content = await response.Content.ReadAsStringAsync(stoppingToken);
+                _logger.LogInformation("API response: {response}", content);    
+            }
+            else
+            {
+                _logger.LogError("API returned: {statusCode}", response.StatusCode);
+            }
+
+            await Task.Delay(5000, stoppingToken);
+        }
+    }
+}

Diff for: src/Duende.AccessTokenManagement.OpenIdConnect/DPoPProofTokenHandler.cs

@@ -43,7 +43,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
         var dPoPNonce = response.GetDPoPNonce();
 
         // retry if 401
-        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized && response.IsDPoPNonceError())
+        if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized && response.IsDPoPError())
         {
             response.Dispose();
 
@@ -54,7 +54,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
         {
             await _dPoPNonceStore.StoreNonceAsync(new DPoPNonceContext
             {
-                Url = request.RequestUri!.AbsoluteUri,
+                Url = request.GetDPoPUrl(),
                 Method = request.Method.ToString(),
             }, dPoPNonce);
         }
@@ -77,7 +77,7 @@ protected virtual async Task SetDPoPProofTokenAsync(HttpRequestMessage request,
             // create proof
             var proofToken = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest
             {
-                Url = request.RequestUri!.AbsoluteUri,
+                Url = request.GetDPoPUrl(),
                 Method = request.Method.ToString(),
                 DPoPJsonWebKey = jwk,
                 DPoPNonce = dpopNonce,

Diff for: src/Duende.AccessTokenManagement.OpenIdConnect/UserTokenEndpointService.cs

@@ -105,7 +105,10 @@ public async Task<UserToken> RefreshAccessTokenAsync(
         _logger.LogDebug("refresh token request to: {endpoint}", request.Address);
         var response = await oidc.HttpClient!.RequestRefreshTokenAsync(request, cancellationToken).ConfigureAwait(false);
 
-        if (response.IsError && response.Error == OidcConstants.TokenErrors.UseDPoPNonce && dPoPJsonWebKey != null && response.DPoPNonce != null)
+        if (response.IsError && 
+            (response.Error == OidcConstants.TokenErrors.UseDPoPNonce || response.Error == OidcConstants.TokenErrors.InvalidDPoPProof) && 
+            dPoPJsonWebKey != null && 
+            response.DPoPNonce != null)
         {
             var proof = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest
             {

Diff for: src/Duende.AccessTokenManagement/AccessTokenHandler.cs

@@ -57,7 +57,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             response.Dispose();
 
             // if it's a DPoP nonce error, we don't need to obtain a new access token
-            var force = !response.IsDPoPNonceError();
+            var force = !response.IsDPoPError();
             if (!force && !string.IsNullOrEmpty(dPoPNonce))
             {
                 _logger.LogDebug("DPoP nonce error invoking endpoint: {url}, retrying using new nonce", request.RequestUri?.AbsoluteUri.ToString());
@@ -70,7 +70,7 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
         {
             await _dPoPNonceStore.StoreNonceAsync(new DPoPNonceContext
             {
-                Url = request.RequestUri!.AbsoluteUri,
+                Url = request.GetDPoPUrl(),
                 Method = request.Method.ToString(),
             }, dPoPNonce);
         }
@@ -122,7 +122,7 @@ protected virtual async Task<bool> SetDPoPProofTokenAsync(HttpRequestMessage req
             var proofToken = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest
             {
                 AccessToken = token.AccessToken,
-                Url = request.RequestUri!.AbsoluteUri,
+                Url = request.GetDPoPUrl(),
                 Method = request.Method.ToString(),
                 DPoPJsonWebKey = token.DPoPJsonWebKey,
                 DPoPNonce = dpopNonce,

Diff for: src/Duende.AccessTokenManagement/ClientCredentialsTokenEndpointService.cs

@@ -145,7 +145,10 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
         _logger.LogDebug("Requesting client credentials access token at endpoint: {endpoint}", request.Address);
         var response = await httpClient.RequestClientCredentialsTokenAsync(request, cancellationToken).ConfigureAwait(false);
 
-        if (response.IsError && response.Error == OidcConstants.TokenErrors.UseDPoPNonce && key != null && response.DPoPNonce != null)
+        if (response.IsError && 
+            (response.Error == OidcConstants.TokenErrors.UseDPoPNonce || response.Error == OidcConstants.TokenErrors.InvalidDPoPProof) && 
+            key != null && 
+            response.DPoPNonce != null)
         {
             _logger.LogDebug("Token request failed with DPoP nonce error. Retrying with new nonce.");
 

Diff for: src/Duende.AccessTokenManagement/DPoPExtensions.cs

@@ -43,9 +43,9 @@ public static void SetDPoPProofToken(this HttpRequestMessage request, string? pr
     }
 
     /// <summary>
-    /// Reads the WWW-Authenticate response header to determine if the respone is in error due to an invalid DPoP nonce 
+    /// Reads the WWW-Authenticate response header to determine if the respone is in error due to DPoP
     /// </summary>
-    public static bool IsDPoPNonceError(this HttpResponseMessage response)
+    public static bool IsDPoPError(this HttpResponseMessage response)
     {
         if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
         {
@@ -64,10 +64,21 @@ public static bool IsDPoPNonceError(this HttpResponseMessage response)
                     return null;
                 }).Where(x => x != null).FirstOrDefault();
 
-                return error == OidcConstants.TokenErrors.UseDPoPNonce;
+                return error == OidcConstants.TokenErrors.UseDPoPNonce || error == OidcConstants.TokenErrors.InvalidDPoPProof;
             }
         }
 
         return false;
     }
+
+    /// <summary>
+    /// Returns the URL without any query params
+    /// </summary>
+    /// <param name="request"></param>
+    /// <returns></returns>
+    public static string GetDPoPUrl(this HttpRequestMessage request)
+    {
+        return request.RequestUri!.Scheme + "://" + request.RequestUri!.Authority + request.RequestUri!.LocalPath;
+        return request.RequestUri!.Scheme + "://" + request.RequestUri!.Authority + request.RequestUri!.AbsolutePath;
+    }
 }

Diff for: src/Duende.AccessTokenManagement/DistributedClientCredentialsTokenCache.cs

@@ -53,7 +53,7 @@ public async Task SetAsync(
             AbsoluteExpiration = cacheExpiration
         };
 
-        _logger.LogDebug("Caching access token for client: {clientName}. Expiration: {expiration}", clientName, cacheExpiration);
+        _logger.LogTrace("Caching access token for client: {clientName}. Expiration: {expiration}", clientName, cacheExpiration);
 
         var cacheKey = GenerateCacheKey(_options, clientName, requestParameters);
         await _cache.SetStringAsync(cacheKey, data, entryOptions, token: cancellationToken).ConfigureAwait(false);
@@ -84,7 +84,7 @@ public async Task SetAsync(
             }
         }
 
-        _logger.LogDebug("Cache miss for access token for client: {clientName}", clientName);
+        _logger.LogTrace("Cache miss for access token for client: {clientName}", clientName);
         return null;
     }
 

Diff for: src/Duende.AccessTokenManagement/DistributedDPoPNonceStore.cs

@@ -47,7 +47,7 @@ public DistributedDPoPNonceStore(
             return entry;
         }
 
-        _logger.LogDebug("Cache miss for DPoP nonce for URL: {url}, method: {method}", context.Url, context.Method);
+        _logger.LogTrace("Cache miss for DPoP nonce for URL: {url}, method: {method}", context.Url, context.Method);
         return null;
     }
 
@@ -64,7 +64,7 @@ public virtual async Task StoreNonceAsync(DPoPNonceContext context, string nonce
             AbsoluteExpiration = cacheExpiration
         };
 
-        _logger.LogDebug("Caching DPoP nonce for URL: {url}, method: {method}. Expiration: {expiration}", context.Url, context.Method, cacheExpiration);
+        _logger.LogTrace("Caching DPoP nonce for URL: {url}, method: {method}. Expiration: {expiration}", context.Url, context.Method, cacheExpiration);
 
         var cacheKey = GenerateCacheKey(context);
         await _cache.SetStringAsync(cacheKey, data, entryOptions, token: cancellationToken).ConfigureAwait(false);