update for ath logic dpop validator in API

Author: brockallen

src/DPoP/DPoPJwtBearerEvents.cs

@@ -41,14 +41,14 @@ public override async Task TokenValidated(TokenValidatedContext context)
     {
         var dpopOptions = _optionsMonitor.Get(context.Scheme.Name);
 
-        if (context.HttpContext.Request.IsDPoPAuthorizationScheme())
+        if (context.HttpContext.Request.TryGetDPoPAccessToken(out var at))
         {
             var proofToken = context.HttpContext.Request.GetDPoPProofToken();
             var result = await _validator.ValidateAsync(new DPoPProofValidatonContext
             {
                 Scheme = context.Scheme.Name,
                 ProofToken = proofToken,
-                AccessTokenClaims = context.Principal.Claims,
+                AccessToken = at,
                 Method = context.HttpContext.Request.Method,
                 Url = context.HttpContext.Request.Scheme + "://" + context.HttpContext.Request.Host + context.HttpContext.Request.PathBase + context.HttpContext.Request.Path
             });

src/DPoP/DPoPProofValidatonContext.cs

@@ -26,7 +26,7 @@ public class DPoPProofValidatonContext
     public string ProofToken { get; set; }
 
     /// <summary>
-    /// The validated claims from the access token
+    /// The access token
     /// </summary>
-    public IEnumerable<Claim> AccessTokenClaims { get; set; }
+    public string AccessToken { get; set; }
 }

src/DPoP/DPoPProofValidatonResult.cs

@@ -45,6 +45,11 @@ public class DPoPProofValidatonResult
     /// The jti value read from the payload.
     /// </summary>
     public string TokenId { get; set; }
+    
+    /// <summary>
+    /// The ath value read from the payload.
+    /// </summary>
+    public string AccessTokenHash { get; set; }
 
     /// <summary>
     /// The nonce value read from the payload.

src/DPoP/DPoPProofValidator.cs

@@ -7,10 +7,12 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
 using System.Text.Json;
 using System.Threading.Tasks;
 
-namespace DPoPApi;
+namespace ApiHost;
 
 public class DPoPProofValidator
 {
@@ -211,6 +213,32 @@ protected virtual Task ValidateSignatureAsync(DPoPProofValidatonContext context,
     /// </summary>
     protected virtual async Task ValidatePayloadAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
     {
+        if (result.Payload.TryGetValue(JwtClaimTypes.DPoPAccessTokenHash, out var ath))
+        {
+            result.AccessTokenHash = ath as string;
+        }
+
+        if (String.IsNullOrEmpty(result.AccessTokenHash))
+        {
+            result.IsError = true;
+            result.ErrorDescription = "Invalid 'ath' value.";
+            return;
+        }
+
+        using (var sha = SHA256.Create())
+        {
+            var bytes = Encoding.UTF8.GetBytes(context.AccessToken);
+            var hash = sha.ComputeHash(bytes);
+
+            var accessTokenHash = Base64Url.Encode(hash);
+            if (accessTokenHash != result.AccessTokenHash)
+            {
+                result.IsError = true;
+                result.ErrorDescription = "Invalid 'ath' value.";
+                return;
+            }
+        }
+
         if (result.Payload.TryGetValue(JwtClaimTypes.JwtId, out var jti))
         {
             result.TokenId = jti as string;