Merge pull request #46 from DuendeSoftware/joe/atm-net9

Add support for .NET 9 to access token management

Directory.Packages.props

@@ -11,21 +11,21 @@
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net6.0'">
     <FrameworkVersion>6.0.1</FrameworkVersion>
     <ExtensionsVersion>6.0.0</ExtensionsVersion>
-    <WilsonVersion>7.1.2</WilsonVersion>
-    <IdentityServerVersion>6.1.8</IdentityServerVersion>
+    <WilsonVersion>6.35.0</WilsonVersion>
+    <IdentityServerVersion>6.3.10</IdentityServerVersion>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
     <FrameworkVersion>8.0.1</FrameworkVersion>
     <ExtensionsVersion>8.0.0</ExtensionsVersion>
-    <WilsonVersion>7.1.2</WilsonVersion>
+    <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion> 
     <IdentityServerVersion>7.0.8</IdentityServerVersion>
   </PropertyGroup>
 
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net9.0'">
     <FrameworkVersion>9.0.0</FrameworkVersion>
     <ExtensionsVersion>9.0.0</ExtensionsVersion>
-    <WilsonVersion>8.0.0</WilsonVersion>
+    <WilsonVersion>[8.0.1,9.0.0)</WilsonVersion>
     <IdentityServerVersion>7.0.8</IdentityServerVersion>
   </PropertyGroup>
 
@@ -57,6 +57,7 @@
     <PackageVersion Include="Shouldly" Version="4.2.1" />
     <PackageVersion Include="SimpleExec" Version="12.0.0" />
     <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="$(WilsonVersion)" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="$(WilsonVersion)" />
     <PackageVersion Include="System.Text.Json" Version="8.0.5" />
     <PackageVersion Include="Verify.Xunit" Version="27.0.1" />
     <PackageVersion Include="xunit.core" Version="2.9.2" />

access-token-management/global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.100",
+    "version": "9.0.100",
     "rollForward": "latestMajor",
     "allowPrerelease": false
   }

access-token-management/src/AccessTokenManagement.OpenIdConnect/AccessTokenManagement.OpenIdConnect.csproj

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <PackageId>Duende.AccessTokenManagement.OpenIdConnect</PackageId>
     <AssemblyName>$(PackageId)</AssemblyName>
     <RootNamespace>$(PackageId)</RootNamespace>
@@ -12,6 +12,7 @@
   </ItemGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="..\AccessTokenManagement\AccessTokenManagement.csproj" />

access-token-management/src/AccessTokenManagement.OpenIdConnect/OpenIdConnectConfigurationService.cs

@@ -71,8 +71,7 @@ public async Task<OpenIdConnectClientConfiguration> GetOpenIdConnectConfiguratio
 
             Authority = options.Authority,
             TokenEndpoint = configuration.TokenEndpoint,
-            RevocationEndpoint = configuration.AdditionalData.TryGetValue(OidcConstants.Discovery.RevocationEndpoint, out var value) ? value?.ToString() : null,
-
+            RevocationEndpoint = configuration.RevocationEndpoint,            
             ClientId = options.ClientId,
             ClientSecret = options.ClientSecret,
             HttpClient = options.Backchannel,

access-token-management/src/AccessTokenManagement/AccessTokenManagement.csproj

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <PackageId>Duende.AccessTokenManagement</PackageId>
     <AssemblyName>$(PackageId)</AssemblyName>
     <RootNamespace>$(PackageId)</RootNamespace>

access-token-management/test/AccessTokenManagement.Tests/AccessTokenManagement.Tests.csproj

@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net8.0</TargetFrameworks>
+    <TargetFrameworks>net8.0;net9.0</TargetFrameworks>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <RootNamespace>Duende.AccessTokenManagement</RootNamespace>
@@ -14,6 +14,7 @@
     <PackageReference Include="Duende.IdentityServer"/>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
     <PackageReference Include="Microsoft.AspNetCore.TestHost" />
+
     <PackageReference Include="RichardSzalay.MockHttp" />
   </ItemGroup>
   <ItemGroup>

access-token-management/test/AccessTokenManagement.Tests/Framework/AppHost.cs

@@ -58,6 +58,11 @@ private void ConfigureServices(IServiceCollection services)
             })
             .AddOpenIdConnect("oidc", options =>
             {
+                options.Events.OnRedirectToIdentityProviderForSignOut = async e =>
+                {
+                    await e.HttpContext.RevokeRefreshTokenAsync();
+                };
+
                 options.Authority = _identityServerHost.Url();
 
                 options.ClientId = ClientId;
@@ -212,9 +217,8 @@ public async Task<HttpResponseMessage> LogoutAsync(string? sid = null)
 
         response = await BrowserClient.GetAsync(response.Headers.Location.ToString());
         response.StatusCode.ShouldBe((HttpStatusCode)302); // root
-        response.Headers.Location!.ToString().ToLowerInvariant().ShouldBe("/");
 
-        response = await BrowserClient.GetAsync(Url(response.Headers.Location.ToString()));
+        response = await BrowserClient.GetAsync(Url(response.Headers.Location!.ToString()));
         return response;
     }
 }

access-token-management/test/AccessTokenManagement.Tests/Framework/IdentityServerHost.cs

@@ -53,6 +53,9 @@ private void ConfigureServices(IServiceCollection services)
                 // Artificially low durations to force retries
                 options.DPoP.ServerClockSkew = TimeSpan.Zero;
                 options.DPoP.ProofTokenValidityDuration = TimeSpan.FromSeconds(1);
+
+                // Disable PAR (this keeps test setup simple, and we don't need to integration test PAR here - it is covered by IdentityServer itself)
+                options.Endpoints.EnablePushedAuthorizationEndpoint = false;
             })
             .AddInMemoryClients(Clients)
             .AddInMemoryIdentityResources(IdentityResources)

access-token-management/test/AccessTokenManagement.Tests/UserTokenManagementTests.cs

@@ -4,6 +4,8 @@
 using System.Net.Http.Json;
 using System.Text.Json;
 using Duende.AccessTokenManagement.OpenIdConnect;
+using Duende.IdentityModel;
+using IdentityModel.Client;
 using RichardSzalay.MockHttp;
 
 namespace Duende.AccessTokenManagement.Tests;
@@ -421,4 +423,40 @@ public async Task Multiple_users_have_distinct_tokens_across_refreshes()
         thirdToken.sub.ShouldNotBe(secondToken.sub);
         thirdToken.token.ShouldNotBe(firstToken.token);
     }
+
+
+    [Fact]
+    public async Task Logout_should_revoke_refresh_tokens()
+    {
+        await AppHost.InitializeAsync();
+        await AppHost.LoginAsync("alice");
+
+        var response = await AppHost.BrowserClient.GetAsync(AppHost.Url("/user_token"));
+        var token = await response.Content.ReadFromJsonAsync<UserToken>();
+        var refreshToken = token?.RefreshToken;
+
+        refreshToken.ShouldNotBeNull();
+
+        var introspectionParams = new TokenIntrospectionRequest
+        {
+            Token = refreshToken,
+            TokenTypeHint = OidcConstants.TokenTypes.RefreshToken,
+            ClientId = "web",
+            ClientSecret = "secret",
+            Address = IdentityServerHost.Url("/connect/introspect")
+        };
+
+        var introspectionResponse = await IdentityServerHost.HttpClient.IntrospectTokenAsync(introspectionParams);
+        introspectionResponse.ShouldNotBeNull();
+        introspectionResponse.IsError.ShouldBeFalse(introspectionResponse.Error);
+        introspectionResponse.IsActive.ShouldBeTrue();
+
+        await AppHost.BrowserClient.GetAsync(AppHost.Url("/logout"));
+
+        var postLogoutIntrospectionResponse = await IdentityServerHost.HttpClient.IntrospectTokenAsync(introspectionParams);
+        postLogoutIntrospectionResponse.ShouldNotBeNull();
+        postLogoutIntrospectionResponse.IsError.ShouldBeFalse(introspectionResponse.Error);
+        postLogoutIntrospectionResponse.IsActive.ShouldBeFalse();
+
+    }
 }

identity-model-oidc-client/src/IdentityModel.OidcClient.Extensions/DPoP/DPoPProofTokenFactory.cs

@@ -4,7 +4,6 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
-using Duende.IdentityModel;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
 
@@ -24,7 +23,7 @@ public DPoPProofTokenFactory(string proofKey)
     {
         _jwk = new JsonWebKey(proofKey);
 
-        if (_jwk.Alg.IsNullOrEmpty())
+        if (string.IsNullOrEmpty(_jwk.Alg))
         {
             throw new ArgumentException("alg must be set on proof key");
         }

identity-model-oidc-client/test/IdentityModel.OidcClient.Tests/IdentityModel.OidcClient.Tests.csproj

@@ -17,6 +17,7 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
     <PackageReference Include="Microsoft.AspNetCore.TestHost" />
     <PackageReference Include="Microsoft.Extensions.Primitives" />
+    <PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" />
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
   </ItemGroup>
 </Project>

identity-model/test/IdentityModel.Tests/HttpClientExtensions/TokenRevocationExtensions.cs

@@ -12,7 +12,7 @@ namespace Duende.IdentityModel.HttpClientExtensions
 {
     public class TokenRevocationExtensionsTests
     {
-        private const string Endpoint = "http://server/endoint";
+        private const string Endpoint = "http://server/endpoint";
 
         [Fact]
         public async Task Http_request_should_have_correct_format()