Merge branch 'main' into joe/wilson

brockallen · web-flow · commit c6c180a5c99a · 2024-02-27T11:48:18.000-05:00
diff --git a/README.md b/README.md
@@ -1,8 +1,43 @@
-# C#/NetStandard OpenID Connect Client Library for native Applications
-Supported platforms: netstandard14, desktop .NET, UWP, .NET Core, Xamarin iOS & Android. [Nuget.](https://www.nuget.org/packages/IdentityModel.OidcClient/)
+## About IdentityModel.OidcClient
+This repository contains several libraries for building OpenID Connect (OIDC) native
+clients. The core IdentityModel.OidcClient library is a certified OIDC relying party and
+implements [RFC 8252](https://tools.ietf.org/html/rfc8252/), "OAuth 2.0 for native
+Applications". The IdentityModel.OidcClient.IdTokenValidator provides validation of Id
+Tokens based on the Microsoft JWT handler: 
+[IdentityModel.OidcClient.IdentityTokenValidator](https://www.nuget.org/packages/IdentityModel.OidcClient.IdentityTokenValidator),
+and is distributed as a separate package in order to prevent certain dependency problems.
+Finally, IdentityModel.OidcClient.DPoP adds [DPoP](https://datatracker.ietf.org/doc/html/rfc9449) 
+extensions to IdentityModel.OidcClient for sender-constraining tokens.
 
-[Certified](http://openid.net/certification/) OpenID Connect relying party implementation. 
+
+## Samples
+OidcClient targets .NET Standard, making it suitable for .NET and .NET
+Framework. It can be used to build OIDC native clients with a variety of .NET UI tools.
+The [samples repository](https://github.com/IdentityModel/IdentityModel.OidcClient.Samples)
+shows how to use it in 
+- .NET MAUI
+- Console Applications
+- WPF
+- WinForms
+- Xamarin iOS & Android
+- UWP
+
+## Documentation 
+
+More documentation is available
+[here](https://identitymodel.readthedocs.io/en/latest/native/overview.html).
+
+
+## Certification
+OidcClient is a [certified](http://openid.net/certification/) OpenID Connect
+relying party implementation.
 
 ![openid_certified](https://cloud.githubusercontent.com/assets/1454075/7611268/4d19de32-f97b-11e4-895b-31b2455a7ca6.png)
 
-See [here](https://identitymodel.readthedocs.io/en/latest/native/overview.html) for documentation and [here](https://github.com/IdentityModel/IdentityModel.OidcClient.Samples) for samples.
+
+## Feedback
+
+IdentityModel.OidcClient is released as open source under the 
+[Apache 2.0 license](https://github.com/IdentityModel/IdentityModel.OidcClient/blob/main/LICENSE). 
+Bug reports and contributions are welcome at 
+[the GitHub repository](https://github.com/IdentityModel/IdentityModel.OidcClient).
diff --git a/clients/ConsoleClientWithBrowser/Program.cs b/clients/ConsoleClientWithBrowser/Program.cs
@@ -5,6 +5,7 @@
 using System.Net.Http;
 using System.Text.Json;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Logging;
 using Serilog.Sinks.SystemConsole.Themes;
 
 namespace ConsoleClientWithBrowser
@@ -54,7 +55,7 @@ private static async Task SignIn()
                 .WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message}{NewLine}{Exception}{NewLine}", theme: AnsiConsoleTheme.Code)
                 .CreateLogger();
 
-            options.LoggerFactory.AddSerilog(serilog);
+            options.LoggerFactory = new LoggerFactory().AddSerilog(serilog);
 
             _oidcClient = new OidcClient(options);
             var result = await _oidcClient.LoginAsync(new LoginRequest());
diff --git a/clients/ConsoleClientWithBrowserAndDPoP/Program.cs b/clients/ConsoleClientWithBrowserAndDPoP/Program.cs
@@ -8,6 +8,7 @@
 using System.Threading.Tasks;
 using Serilog.Sinks.SystemConsole.Themes;
 using IdentityModel.OidcClient.DPoP;
+using Microsoft.Extensions.Logging;
 
 namespace ConsoleClientWithBrowserAndDPoP
 {
@@ -57,7 +58,7 @@ private static async Task SignIn()
                 .WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message}{NewLine}{Exception}{NewLine}", theme: AnsiConsoleTheme.Code)
                 .CreateLogger();
 
-            options.LoggerFactory.AddSerilog(serilog);
+            options.LoggerFactory = new LoggerFactory().AddSerilog(serilog);
 
             _oidcClient = new OidcClient(options);
 
diff --git a/src/DPoP/DPoP.csproj b/src/DPoP/DPoP.csproj
@@ -13,7 +13,7 @@
         <Description>DPoP extensions for IdentityModel.OidcClient</Description>
         <Authors>Dominick Baier;Brock Allen</Authors>
         <PackageIcon>icon.jpg</PackageIcon>
-
+        <PackageReadmeFile>README.md</PackageReadmeFile>
         <PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
 
@@ -39,14 +39,15 @@
 
     <ItemGroup>
         <None Include="../../icon.jpg" Pack="true" Visible="false" PackagePath="" />
+        <None Include="README.md" Pack="true" PackagePath=""/>
     </ItemGroup>
 
     <ItemGroup>
         <PackageReference Include="IdentityModel" Version="7.0.0-preview.3" />
         <PackageReference Include="minver" Version="4.3.0" PrivateAssets="All" />
         <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.3.1" />
 
-        <PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
         <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1" PrivateAssets="All" />
     </ItemGroup>
 
diff --git a/src/DPoP/README.md b/src/DPoP/README.md
@@ -0,0 +1,19 @@
+## About IdentityModel.OidcClient
+IdentityModel.OidcClient.DPoP adds support for DPoP ([RFC
+9449](https://datatracker.ietf.org/doc/html/rfc9449)) to IdentityModel.OidcClient. DPoP
+sender-constrains access and refresh tokens to protect them against replay attacks, and is 
+often used by mobile and other native applications.
+
+## Related Packages
+
+- Library for claims-based identity, OAuth 2.0, and OpenID Connect: [IdentityModel](https://www.nuget.org/packages/IdentityModel)
+- RFC8252 compliant and certified OpenID Connect and OAuth 2.0 client library for native applications: [IdentityModel.OidcClient](https://www.nuget.org/packages/IdentityModel.OidcClient)
+- Id token validator for IdentityModel.OidcClient based on the Microsoft JWT handler: [IdentityModel.OidcClient.IdentityTokenValidator](https://www.nuget.org/packages/IdentityModel.OidcClient.IdentityTokenValidator)
+- Authentication handler for introspection tokens: [IdentityModel.AspNetCore.OAuth2Introspection](https://www.nuget.org/packages/IdentityModel.AspNetCore.OAuth2Introspection)
+
+## Feedback
+
+IdentityModel.OidcClient is released as open source under the 
+[Apache 2.0 license](https://github.com/IdentityModel/IdentityModel.OidcClient/blob/main/LICENSE). 
+Bug reports and contributions are welcome at 
+[the GitHub repository](https://github.com/IdentityModel/IdentityModel.OidcClient).
diff --git a/src/IdentityTokenValidator/IdentityTokenValidator.csproj b/src/IdentityTokenValidator/IdentityTokenValidator.csproj
@@ -11,6 +11,7 @@
         <Authors>Dominick Baier;Brock Allen</Authors>
         <PackageIcon>icon.jpg</PackageIcon>
         <PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
+        <PackageReadmeFile>README.md</PackageReadmeFile>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
 
         <!-- Publish the repository URL in the built .nupkg (in the NuSpec <Repository> element) -->
@@ -34,13 +35,14 @@
 
     <ItemGroup>
         <None Include="../../icon.jpg" Pack="true" Visible="false" PackagePath="" />
+        <None Include="README.md" Pack="true" PackagePath=""/>
     </ItemGroup>
     
     <ItemGroup>
         <PackageReference Include="minver" Version="4.3.0" PrivateAssets="All" />
 
         <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.3.1" />
-        <PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />
+        <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
         <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1" PrivateAssets="All" />
     </ItemGroup>
     
diff --git a/src/IdentityTokenValidator/README.md b/src/IdentityTokenValidator/README.md
@@ -0,0 +1,22 @@
+## About IdentityModel.OidcClient
+IdentityModel.OidcClient.IdentityTokenValidator validates ID tokens using Microsoft's
+[System.IdentityModel.Tokens.Jwt](https://www.nuget.org/packages/System.IdentityModel.Tokens.Jwt/)
+library. It is intended to be used with
+[IdentityModel.OidcClient](https://www.nuget.org/packages/IdentityModel.OidcClient/),
+which provides an abstraction for validation of ID tokens that this package implements.
+Distributing the ID token validator separately allows for greater control of the version
+of the Microsoft JWT handler and prevents certain dependency issues. 
+
+## Related Packages
+
+- Library for claims-based identity, OAuth 2.0, and OpenID Connect: [IdentityModel](https://www.nuget.org/packages/IdentityModel)
+- RFC8252 compliant and certified OpenID Connect and OAuth 2.0 client library for native applications: [IdentityModel.OidcClient](https://www.nuget.org/packages/IdentityModel.OidcClient)
+- Id token validator for IdentityModel.OidcClient based on the Microsoft JWT handler: [IdentityModel.OidcClient.IdentityTokenValidator](https://www.nuget.org/packages/IdentityModel.OidcClient.IdentityTokenValidator)
+- Authentication handler for introspection tokens: [IdentityModel.AspNetCore.OAuth2Introspection](https://www.nuget.org/packages/IdentityModel.AspNetCore.OAuth2Introspection)
+
+## Feedback
+
+IdentityModel.OidcClient.IdentityTokenValidator is released as open source under the 
+[Apache 2.0 license](https://github.com/IdentityModel/IdentityModel.OidcClient/blob/main/LICENSE). 
+Bug reports and contributions are welcome at 
+[the GitHub repository](https://github.com/IdentityModel/IdentityModel.OidcClient).
diff --git a/src/OidcClient/AuthorizeClient.cs b/src/OidcClient/AuthorizeClient.cs
@@ -62,6 +62,7 @@ public async Task<AuthorizeResult> AuthorizeAsync(AuthorizeRequest request,
             }
 
             result.Error = browserResult.Error ?? browserResult.ResultType.ToString();
+            result.ErrorDescription = browserResult.ErrorDescription;
             return result;
         }
 
diff --git a/src/OidcClient/CryptoHelper.cs b/src/OidcClient/CryptoHelper.cs
@@ -56,10 +56,10 @@ public bool ValidateHash(string data, string hashedData, string signatureAlgorit
             using (hashAlgorithm)
             {
                 var hash = hashAlgorithm.ComputeHash(Encoding.ASCII.GetBytes(data));
-                var size = (hashAlgorithm.HashSize / 8) / 2;
+                var size = hashAlgorithm.HashSize / 8 / 2; // Only take the left half of the data, as per spec for at_hash 
 
-                byte[] leftPart = new byte[hashAlgorithm.HashSize / size];
-                Array.Copy(hash, leftPart, hashAlgorithm.HashSize / size);
+                byte[] leftPart = new byte[size];
+                Array.Copy(hash, leftPart, size);
 
                 var leftPartB64 = Base64Url.Encode(leftPart);
                 var match = leftPartB64.Equals(hashedData);
diff --git a/src/OidcClient/OidcClient.csproj b/src/OidcClient/OidcClient.csproj
@@ -1,19 +1,20 @@
 ﻿<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <PackageId>IdentityModel.OidcClient</PackageId>
     <RootNamespace>IdentityModel.OidcClient</RootNamespace>
     <AssemblyName>IdentityModel.OidcClient</AssemblyName>
 
     <TargetFrameworks>netstandard2.0;net6.0</TargetFrameworks>
     <LangVersion>latest</LangVersion>
 
+    <PackageId>IdentityModel.OidcClient</PackageId>
     <PackageTags>OAuth2;OAuth 2.0;OpenID Connect;Security;Identity;IdentityServer</PackageTags>
     <Description>RFC8252 compliant and certified OpenID Connect and OAuth 2.0 client library for native applications</Description>
     <Authors>Dominick Baier;Brock Allen</Authors>
     <PackageIcon>icon.jpg</PackageIcon>
-
     <PackageLicenseExpression>Apache-2.0</PackageLicenseExpression>
+    <PackageReadmeFile>README.md</PackageReadmeFile>
+
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
 
     <!-- Publish the repository URL in the built .nupkg (in the NuSpec <Repository> element) -->
@@ -37,13 +38,14 @@
 
    <ItemGroup>
     <None Include="../../icon.jpg" Pack="true" Visible="false" PackagePath="" />
-  </ItemGroup>
+    <None Include="README.md" Pack="true" PackagePath=""/>
+</ItemGroup>
 
   <ItemGroup>
     <PackageReference Include="IdentityModel" Version="7.0.0-preview.3" />
     <PackageReference Include="minver" Version="4.3.0" PrivateAssets="All" />
     
-    <PackageReference Include="Microsoft.Extensions.Logging" Version="6.0.0" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.0" />
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1" PrivateAssets="All" />
   </ItemGroup>
 
diff --git a/src/OidcClient/OidcClientOptions.cs b/src/OidcClient/OidcClientOptions.cs
@@ -9,6 +9,7 @@
 using System.Collections.Generic;
 using System.Net.Http;
 using System.Text.Json.Serialization;
+using Microsoft.Extensions.Logging.Abstractions;
 
 namespace IdentityModel.OidcClient
 {
@@ -212,7 +213,7 @@ public class OidcClientOptions
         /// The logger factory.
         /// </value>
         [JsonIgnore]
-        public ILoggerFactory LoggerFactory { get; set; } = new LoggerFactory();
+        public ILoggerFactory LoggerFactory { get; set; } = new NullLoggerFactory();
 
         /// <summary>
         /// Gets or sets the identity token validator.
diff --git a/src/OidcClient/README.md b/src/OidcClient/README.md
@@ -0,0 +1,52 @@
+## About IdentityModel.OidcClient
+IdentityModel.OidcClient is an OpenID Connect (OIDC) client library that for native
+applications. It provides
+- Types that describe OIDC requests and responses
+- Low level methods to construct protocol state and handle responses
+- Higher level methods for 
+   - Logging in
+   - Logging out
+   - Retrieving userinfo
+   - Refreshing tokens
+
+## Samples
+IdentityModel.OidcClient targets .NET Standard, making it suitable for .NET and .NET
+Framework. It can be used to build OIDC native clients with a variety of .NET UI tools.
+The [samples repository](https://github.com/IdentityModel/IdentityModel.OidcClient.Samples)
+shows how to use it in 
+- .NET MAUI
+- Console Applications
+- WPF
+- WinForms
+- Xamarin iOS & Android
+- UWP
+
+## Documentation 
+
+More documentation is available
+[here](https://identitymodel.readthedocs.io/en/latest/native/overview.html).
+
+
+## Standards and Certification
+IdentityModel.OidcClient is a [certified](http://openid.net/certification/) OpenID Connect
+relying party implementation, and implements [RFC 8252](https://tools.ietf.org/html/rfc8252/),
+"OAuth 2.0 for native Applications".
+
+![openid_certified](https://cloud.githubusercontent.com/assets/1454075/7611268/4d19de32-f97b-11e4-895b-31b2455a7ca6.png)
+
+
+
+
+## Related Packages
+
+- Library for claims-based identity, OAuth 2.0, and OpenID Connect: [IdentityModel](https://www.nuget.org/packages/IdentityModel)
+- Id token validator for IdentityModel.OidcClient based on the Microsoft JWT handler: [IdentityModel.OidcClient.IdentityTokenValidator](https://www.nuget.org/packages/IdentityModel.OidcClient.IdentityTokenValidator)
+- [DPoP](https://datatracker.ietf.org/doc/html/rfc9449) extensions for IdentityModel.OidcClient: [IdentityModel.OidcClient.DPoP ](https://www.nuget.org/packages/IdentityModel.OidcClient.DPoP)
+- Authentication handler for introspection tokens: [IdentityModel.AspNetCore.OAuth2Introspection](https://www.nuget.org/packages/IdentityModel.AspNetCore.OAuth2Introspection)
+
+## Feedback
+
+IdentityModel.OidcClient is released as open source under the 
+[Apache 2.0 license](https://github.com/IdentityModel/IdentityModel.OidcClient/blob/main/LICENSE). 
+Bug reports and contributions are welcome at 
+[the GitHub repository](https://github.com/IdentityModel/IdentityModel.OidcClient).
diff --git a/test/JwtValidationTests/JwtValidationTests.csproj b/test/JwtValidationTests/JwtValidationTests.csproj
@@ -20,5 +20,6 @@
         <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3" />
         <PackageReference Include="xunit" Version="2.4.1" />
         <PackageReference Include="FluentAssertions" Version="5.10.2" />
+        <PackageReference Include="Microsoft.Extensions.Primitives" Version="8.0.0" />
     </ItemGroup>
 </Project>
diff --git a/test/OidcClient.Tests/AuthorizeRequestTests.cs b/test/OidcClient.Tests/AuthorizeRequestTests.cs
@@ -89,7 +89,8 @@ public async Task Browser_error_is_surfaced_in_authorize_response()
                 Browser = new TestBrowser(_ => Task.FromResult(new BrowserResult
                 {
                     ResultType = BrowserResultType.HttpError,
-                    Error = "Something terrible happened"
+                    Error = "Something terrible happened",
+                    ErrorDescription = "Explaining the terrible error..."
                 }))
             };
 
@@ -98,6 +99,7 @@ public async Task Browser_error_is_surfaced_in_authorize_response()
             var response = await client.AuthorizeAsync(new AuthorizeRequest());
 
             response.Error.Should().Be("Something terrible happened");
+            response.ErrorDescription.Should().Be("Explaining the terrible error...");
         }
     }
 }
diff --git a/test/OidcClient.Tests/CryptoHelperTests.cs b/test/OidcClient.Tests/CryptoHelperTests.cs
@@ -0,0 +1,31 @@
+using System;
+using System.Text;
+using FluentAssertions;
+using IdentityModel;
+using IdentityModel.OidcClient;
+using Xunit;
+
+public class CryptoHelperTests
+{
+    [Theory]
+    [InlineData("asdf", "RS256")]
+    [InlineData("asdf", "RS384")]
+    [InlineData("asdf", "RS512")]
+    public void ComputeHash_should_compute_correct_hashes_for_all_signature_algorithms(string data, string algorithmName)
+    {
+        var sut = new CryptoHelper(new OidcClientOptions());
+        var algorithm = sut.GetMatchingHashAlgorithm(algorithmName);
+
+        var hash = algorithm.ComputeHash(Encoding.ASCII.GetBytes(data));
+
+        var bytesInLeftHalf = algorithm.HashSize / 16; // Divide by 8 for bytes and then 2 to get just half, as per spec for at_hash.
+
+        var leftHalf = new byte[bytesInLeftHalf];
+        Array.Copy(hash, leftHalf, bytesInLeftHalf);
+
+        var hashString = Base64Url.Encode(leftHalf);
+
+        sut.ValidateHash(data, hashString, algorithmName).Should().BeTrue();
+    }
+
+}
diff --git a/test/OidcClient.Tests/OidcClient.Tests.csproj b/test/OidcClient.Tests/OidcClient.Tests.csproj
@@ -19,6 +19,7 @@
         <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.3.1"/>
 
         <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4"/>
+        <PackageReference Include="Microsoft.Extensions.Primitives" Version="8.0.0" />
         <PackageReference Include="xunit.runner.visualstudio" Version="2.4.3"/>
         <PackageReference Include="xunit" Version="2.4.1"/>
         <PackageReference Include="FluentAssertions" Version="5.10.3"/>
diff --git a/test/TrimmableAnalysis/TrimmableAnalysis.csproj b/test/TrimmableAnalysis/TrimmableAnalysis.csproj
@@ -6,7 +6,8 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <PublishTrimmed>true</PublishTrimmed>
     <TrimmerSingleWarn>false</TrimmerSingleWarn> 
-    <TreatWarningsAsErrors>true</TreatWarningsAsErrors> 
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <IsPackable>false</IsPackable>
   </PropertyGroup>
 
   <ItemGroup>

Original file line number	Diff line number	Diff line change
`@@ -62,6 +62,7 @@ public async Task<AuthorizeResult> AuthorizeAsync(AuthorizeRequest request,`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`result.Error = browserResult.Error ?? browserResult.ResultType.ToString();`
	`65`	`+ result.ErrorDescription = browserResult.ErrorDescription;`
`65`	`66`	`return result;`
`66`	`67`	`}`
`67`	`68`