Merge branch 'main' into release-3.1.1

DuendeSoftware · Feb 18, 2025 · e079bf1 · e079bf1
2 parents 368f47d + 859c9c0
commit e079bf1
Show file tree

Hide file tree

Showing 64 changed files with 1,393 additions and 1,369 deletions.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,7 +1,7 @@
 blank_issues_enabled: false
 contact_links:
   - name: Support Forum
-    url: https://github.com/DuendeSoftware/Support/issues/new/choose
+    url: https://github.com/DuendeSoftware/community
     about: The place for questions, support and feature requests
   - name: Create an Issue
     url: https://github.com/DuendeSoftware/foss/issues/new

diff --git a/.github/workflow-gen/Properties/launchSettings.json b/.github/workflow-gen/Properties/launchSettings.json
@@ -0,0 +1,8 @@
+{
+  "profiles": {
+    "workflow-gen": {
+      "commandName": "Project",
+      "workingDirectory": "$(ProjectDir)"
+    }
+  }
+}
diff --git a/.github/workflows/access-token-management-release.yml b/.github/workflows/access-token-management-release.yml
@@ -95,8 +95,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

diff --git a/.github/workflows/identity-model-oidc-client-release.yml b/.github/workflows/identity-model-oidc-client-release.yml
@@ -95,8 +95,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

diff --git a/.github/workflows/identity-model-release.yml b/.github/workflows/identity-model-release.yml
@@ -80,6 +80,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         NUGET_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload Artifacts
+      if: github.event_name == 'push'
       uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882
       with:
         name: artifacts
@@ -93,8 +94,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

diff --git a/.github/workflows/ignore-this-release.yml b/.github/workflows/ignore-this-release.yml
@@ -93,8 +93,6 @@ jobs:
     needs:
     - tag
     runs-on: ubuntu-latest
-    environment:
-      name: nuget.org
     steps:
     - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
       with:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -33,34 +33,21 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46  # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6
         with:
           name: SARIF file
           path: results.sarif
@@ -69,6 +56,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
         with:
           sarif_file: results.sarif
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -35,8 +35,7 @@
     <PackageVersion Include="coverlet.collector" Version="6.0.2" />
     <PackageVersion Include="Duende.IdentityModel" Version="7.0.0" />
     <PackageVersion Include="Duende.IdentityServer" Version="$(IdentityServerVersion)" />
-    <PackageVersion Include="FluentAssertions" Version="6.12.0" />
-    <PackageVersion Include="MartinCostello.Logging.XUnit" Version="0.3.0" />
+    <PackageVersion Include="MartinCostello.Logging.XUnit.v3" Version="0.5.1" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="$(FrameworkVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="$(FrameworkVersion)" />
     <PackageVersion Include="Microsoft.AspNetCore.TestHost" Version="$(FrameworkVersion)" />
@@ -47,7 +46,8 @@
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="$(ExtensionsVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Primitives" Version="$(ExtensionsVersion)" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1"/>
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0"/>
     <PackageVersion Include="Microsoft.NETCore.Jit" Version="2.0.8" />
     <PackageVersion Include="Microsoft.SourceLink.GitHub" Version="8.0.0"/>
     <PackageVersion Include="MinVer" Version="6.0.0" />
@@ -57,10 +57,10 @@
     <PackageVersion Include="Shouldly" Version="4.2.1" />
     <PackageVersion Include="SimpleExec" Version="12.0.0" />
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="$(WilsonVersion)" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)" />
+    <PackageVersion Include="System.Net.Http" Version="4.3.4" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
-    <PackageVersion Include="Verify.Xunit" Version="27.0.1" />
-    <PackageVersion Include="xunit.core" Version="2.9.2" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
+    <PackageVersion Include="Verify.XunitV3" Version="28.9.0" />
+    <PackageVersion Include="xunit.v3.core" Version="1.0.1" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
   </ItemGroup>
 </Project>
diff --git a/access-token-management/README.md b/access-token-management/README.md
@@ -14,7 +14,7 @@ The libraries in this directory are distributed as NuGet packages.
   acquired in user-centric flows in [ASP.NET Core](https://dotnet.microsoft.com/en-us/apps/aspnet) applications.
 
 ## Documentation
-Documentation is available [here](https://github.com/DuendeSoftware/foss/wiki).
+Documentation is available [here]([https://github.com/DuendeSoftware/foss/wiki](https://docs.duendesoftware.com/foss/accesstokenmanagement/).
 
 ## License and Feedback
 Duende.AccessTokenManagement is released as open source under the 

diff --git a/access-token-management/src/AccessTokenManagement/AccessTokenHandler.cs b/access-token-management/src/AccessTokenManagement/AccessTokenHandler.cs
@@ -40,6 +40,13 @@ public AccessTokenHandler(
     /// <returns></returns>
     protected abstract Task<ClientCredentialsToken> GetAccessTokenAsync(bool forceRenewal, CancellationToken cancellationToken);
 
+    /// <inheritdoc/>
+    protected override HttpResponseMessage Send(HttpRequestMessage request, CancellationToken cancellationToken)
+    {
+        throw new NotSupportedException(
+            "The (synchronous) Send() method is not supported. Please use the async SendAsync variant. ");
+    }
+
     /// <inheritdoc/>
     protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
     {

diff --git a/access-token-management/src/AccessTokenManagement/ClientCredentialsClient.cs b/access-token-management/src/AccessTokenManagement/ClientCredentialsClient.cs
@@ -14,12 +14,12 @@ public class ClientCredentialsClient
     /// The address of the token endpoint
     /// </summary>
     public string? TokenEndpoint { get; set; }
-    
+
     /// <summary>
     /// The client ID 
     /// </summary>
     public string? ClientId { get; set; }
-    
+
     /// <summary>
     /// The static (shared) client secret
     /// </summary>
@@ -30,11 +30,19 @@ public class ClientCredentialsClient
     /// </summary>
     public ClientCredentialStyle ClientCredentialStyle { get; set; }
 
+    /// <summary>
+    /// Gets or sets the basic authentication header style (classic HTTP vs OAuth 2).
+    /// </summary>
+    /// <value>
+    /// The basic authentication header style.
+    /// </value>
+    public BasicAuthenticationHeaderStyle AuthorizationHeaderStyle { get; set; } = BasicAuthenticationHeaderStyle.Rfc6749;
+
     /// <summary>
     /// The scope
     /// </summary>
     public string? Scope { get; set; }
-    
+
     /// <summary>
     /// The resource
     /// </summary>
@@ -49,7 +57,7 @@ public class ClientCredentialsClient
     /// Additional parameters to send with token requests.
     /// </summary>
     public Parameters Parameters { get; set; } = new Parameters();
-    
+
     /// <summary>
     /// The HTTP client instance to use for the back-channel operations, will override the HTTP client name if set
     /// </summary>

diff --git a/access-token-management/src/AccessTokenManagement/ClientCredentialsTokenEndpointService.cs b/access-token-management/src/AccessTokenManagement/ClientCredentialsTokenEndpointService.cs
@@ -69,17 +69,18 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
             ClientId = client.ClientId,
             ClientSecret = client.ClientSecret,
             ClientCredentialStyle = client.ClientCredentialStyle,
+            AuthorizationHeaderStyle = client.AuthorizationHeaderStyle
         };
 
         request.Parameters.AddRange(client.Parameters);
-        
+
         parameters ??= new TokenRequestParameters();
-        
+
         if (!string.IsNullOrWhiteSpace(parameters.Scope))
         {
             request.Scope = parameters.Scope;
         }
-        
+
         if (!string.IsNullOrWhiteSpace(parameters.Resource))
         {
             request.Resource.Clear();
@@ -103,14 +104,14 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
         else
         {
             var assertion = await _clientAssertionService.GetClientAssertionAsync(clientName).ConfigureAwait(false);
-                
+
             if (assertion != null)
             {
                 request.ClientAssertion = assertion;
                 request.ClientCredentialStyle = ClientCredentialStyle.PostBody;
             }
         }
-        
+
         request.Options.TryAdd(ClientCredentialsTokenManagementDefaults.TokenRequestParametersOptionsName, parameters);
 
         var key = await _dPoPKeyMaterialService.GetKeyAsync(clientName);
@@ -134,19 +135,19 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
         }
         else if (!string.IsNullOrWhiteSpace(client.HttpClientName))
         {
-            httpClient = _httpClientFactory.CreateClient(client.HttpClientName);    
+            httpClient = _httpClientFactory.CreateClient(client.HttpClientName);
         }
         else
         {
-            httpClient = _httpClientFactory.CreateClient(ClientCredentialsTokenManagementDefaults.BackChannelHttpClientName);    
+            httpClient = _httpClientFactory.CreateClient(ClientCredentialsTokenManagementDefaults.BackChannelHttpClientName);
         }
-        
+
         _logger.LogDebug("Requesting client credentials access token at endpoint: {endpoint}", request.Address);
         var response = await httpClient.RequestClientCredentialsTokenAsync(request, cancellationToken).ConfigureAwait(false);
 
-        if (response.IsError && 
-            (response.Error == OidcConstants.TokenErrors.UseDPoPNonce || response.Error == OidcConstants.TokenErrors.InvalidDPoPProof) && 
-            key != null && 
+        if (response.IsError &&
+            (response.Error == OidcConstants.TokenErrors.UseDPoPNonce || response.Error == OidcConstants.TokenErrors.InvalidDPoPProof) &&
+            key != null &&
             response.DPoPNonce != null)
         {
             _logger.LogDebug("Token request failed with DPoP nonce error. Retrying with new nonce.");
@@ -173,7 +174,7 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
                 Error = response.Error
             };
         }
-        
+
         return new ClientCredentialsToken
         {
             AccessToken = response.AccessToken,

diff --git a/access-token-management/src/AccessTokenManagement/ClientCredentialsTokenManagementBuilder.cs b/access-token-management/src/AccessTokenManagement/ClientCredentialsTokenManagementBuilder.cs
@@ -8,18 +8,9 @@ namespace Microsoft.Extensions.DependencyInjection;
 /// <summary>
 /// Builder for client credential clients
 /// </summary>
-public class ClientCredentialsTokenManagementBuilder
+public class ClientCredentialsTokenManagementBuilder(IServiceCollection services)
 {
-    private readonly IServiceCollection _services;
-
-    /// <summary>
-    /// ctor
-    /// </summary>
-    /// <param name="services"></param>
-    public ClientCredentialsTokenManagementBuilder(IServiceCollection services)
-    {
-        _services = services;
-    }
+    public IServiceCollection Services { get; } = services;
 
     /// <summary>
     /// Adds a client credentials client to the token management system
@@ -29,7 +20,7 @@ public ClientCredentialsTokenManagementBuilder(IServiceCollection services)
     /// <returns></returns>
     public ClientCredentialsTokenManagementBuilder AddClient(string name, Action<ClientCredentialsClient> configureOptions)
     {
-        _services.Configure(name, configureOptions);
+        Services.Configure(name, configureOptions);
         return this;
     }
 }
diff --git a/access-token-management/src/AccessTokenManagement/Interfaces/ITokenRequestSynchronization.cs b/access-token-management/src/AccessTokenManagement/Interfaces/ITokenRequestSynchronization.cs
@@ -4,7 +4,8 @@
 namespace Duende.AccessTokenManagement;
 
 /// <summary>
-/// Service to provide synchronization to token endpoint requests
+/// Service to provide synchronization to token endpoint requests. When concurrent requests are made for the same token, this service
+/// de-duplicates the requests and ensures that only one request is made to the token endpoint.
 /// </summary>
 public interface ITokenRequestSynchronization
 {

diff --git a/...management/test/AccessTokenManagement.Tests/StoreTokensInAuthenticationPropertiesTests.cs b/...management/test/AccessTokenManagement.Tests/StoreTokensInAuthenticationPropertiesTests.cs
@@ -308,15 +308,15 @@ public void Removing_all_tokens_in_a_challenge_scheme_should_remove_items_shared
         AccessToken = Guid.NewGuid().ToString(),
         AccessTokenType = Guid.NewGuid().ToString(),
         RefreshToken = Guid.NewGuid().ToString(),
-        Expiration = new DateTimeOffset(new DateTime(Random.Shared.Next())),
+        Expiration = new DateTimeOffset(new DateTime(DateTime.Now.Ticks + Random.Shared.Next())),
         DPoPJsonWebKey = Guid.NewGuid().ToString()
     };
 
     private UserToken GenerateAnotherTokenForADifferentResource(UserToken previousToken) => new UserToken
     {
         AccessToken = Guid.NewGuid().ToString(),
         AccessTokenType = Guid.NewGuid().ToString(),
-        Expiration = new DateTimeOffset(new DateTime(Random.Shared.Next())),
+        Expiration = new DateTimeOffset(new DateTime(DateTime.Now.Ticks + Random.Shared.Next())),
 
         // These two values don't change when we switch resources
         RefreshToken = previousToken.RefreshToken,

diff --git a/access-token-management/test/AccessTokenManagement.Tests/Usings.cs b/access-token-management/test/AccessTokenManagement.Tests/Usings.cs
@@ -1,5 +1,5 @@
 // Copyright (c) Duende Software. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
-global using Xunit;
-global using Shouldly;
+global using Shouldly;
+global using Xunit;
diff --git a/foss.sln b/foss.sln
@@ -112,6 +112,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "workflow-gen", ".github\wor
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentityModel.OidcClient.Extensions", "identity-model-oidc-client\src\IdentityModel.OidcClient.Extensions\IdentityModel.OidcClient.Extensions.csproj", "{71943026-C895-4C39-953E-3F02519EFDA7}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TrimmableAnalysis", "identity-model-oidc-client\src\TrimmableAnalysis\TrimmableAnalysis.csproj", "{DB959C7D-0C67-435A-A0DB-CE6ED94DC72A}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -202,6 +204,10 @@ Global
 		{71943026-C895-4C39-953E-3F02519EFDA7}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{71943026-C895-4C39-953E-3F02519EFDA7}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{71943026-C895-4C39-953E-3F02519EFDA7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{DB959C7D-0C67-435A-A0DB-CE6ED94DC72A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{DB959C7D-0C67-435A-A0DB-CE6ED94DC72A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{DB959C7D-0C67-435A-A0DB-CE6ED94DC72A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{DB959C7D-0C67-435A-A0DB-CE6ED94DC72A}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -239,6 +245,7 @@ Global
 		{DB9D419A-39BE-4AF0-8DF5-AC59DB218469} = {7FE03753-F6F7-48B3-B38B-52EC8C804998}
 		{79FA307B-8362-448B-8ED3-A8E60700B04C} = {F3E00123-AE97-4BF4-8868-E078B59691C8}
 		{71943026-C895-4C39-953E-3F02519EFDA7} = {93313B63-592B-41AA-B122-BE6DED75B198}
+		{DB959C7D-0C67-435A-A0DB-CE6ED94DC72A} = {93313B63-592B-41AA-B122-BE6DED75B198}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {198D25AC-7BC4-48D6-BF04-37AF59E0648D}

diff --git a/identity-model-oidc-client/README.md b/identity-model-oidc-client/README.md
@@ -1,11 +1,11 @@
-## About IdentityModel.OidcClient
+## About Duende.IdentityModel.OidcClient
 
-This repository contains several libraries for building OpenID Connect (OIDC) native
+This directory contains several libraries for building OpenID Connect (OIDC) native
 clients. The core `Duende.IdentityModel.OidcClient` library is a certified OIDC relying party and
 implements [RFC 8252](https://tools.ietf.org/html/rfc8252/), "OAuth 2.0 for native
 Applications". The `Duende.IdentityModel.OidcClient.Extensions` provides support for
 [DPoP](https://datatracker.ietf.org/doc/html/rfc9449) 
-extensions to IdentityModel.OidcClient for sender-constraining tokens.
+extensions to Duende.IdentityModel.OidcClient for sender-constraining tokens.
 
 ## Samples
 OidcClient targets .NET Standard, making it suitable for .NET and .NET