Merge pull request #766 from DuendeSoftware/wca/oidc-client-dpop-extensions

Add documentation of how to use the Duende.IdentityModel.OidcClient.Extensions package to implement DPoP

Author: wcabus

src/content/docs/identitymodel-oidcclient/advanced/_meta.yml

@@ -0,0 +1,3 @@
+label: 'Advanced'
+order: 6
+collapsed: true

src/content/docs/identitymodel-oidcclient/advanced/dpop.mdx

@@ -0,0 +1,100 @@
+---
+title: Demonstrating Proof-of-Possession (DPoP)
+description: Learn how to leverage Demonstrating Proof-of-Possession when using OidcClient to build a native OIDC client.
+sidebar:
+  label: DPoP
+  order: 1
+---
+
+[DPoP][dpop-spec] specifies how to bind an asymmetric key stored
+within a JSON Web Key (JWK) to an access token. This will make the access token bound to the key such that if the
+access token were to leak, it cannot be used without also having access to the private key of the corresponding JWK.
+
+The `Duende.IdentityModel.OidcClient.Extensions` library adds supports for DPoP to OidcClient.
+
+## DPoP Key
+
+Before we begin, your application needs to have a DPoP key in the form of a
+JSON Web Key (or JWK). According to the [DPoP specification][dpop-spec], this
+key needs to use an asymmetric algorithm ("RS", "ES", or "PS" style).
+
+:::note
+The client application is responsible for creating the DPoP key,
+rotating it, and managing its lifetime. For as long as there are access tokens
+(and possibly refresh tokens) bound to a DPoP key, that key needs to remain
+available to the client application.
+:::
+
+You can create a JWK in .NET using the `Duende.IdentityModel.OidcClient.Extensions` library.
+The `JsonWebKeys` class has several static methods to help with creating JWKs using various algorithms.
+
+```csharp
+// Program.cs
+using Duende.IdentityModel.OidcClient.DPoP;
+
+// Creates a JWK using the PS256 algorithm:
+var jwk = JsonWebKeys.CreateRsaJson();
+
+Console.WriteLine(jwk);
+```
+
+:::caution
+In a production scenario, you'll want to store this JWK in a secure location
+and use ASP.NET's [data protection](https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/) to further
+protect the JWK. See [our data protection guide](/identityserver/deployment#aspnet-core-data-protection) for more
+information.
+:::
+
+## Initializing the OIDC client with DPoP support
+
+We will need to extend the `OidcClientOptions` before we can use DPoP.
+
+After creating the `OidcClientOptions`
+to connect our client application with the Identity Provider, we retrieve a JWK to use for DPoP, and add that JWK
+to our `options` by calling the `ConfigureDPoP` extension method:
+
+```csharp
+// Program.cs
+using Duende.IdentityModel.OidcClient;
+using Duende.IdentityModel.OidcClient.DPoP;
+
+var options = new OidcClientOptions
+{
+    Authority = "https://demo.duendesoftware.com",
+    ClientId = "native.dpop",
+    Scope = "openid profile email offline_access",
+    // ...
+};
+
+// creates a new JWK, or returns an existing one
+var jwk = GetDPoPJwk();
+
+// Enable DPoP
+options.ConfigureDPoP(jwk);
+
+var oidcClient = new OidcClient(options);
+```
+
+## Proof Tokens for the API
+
+Now that we've configured the `OidcClientOptions` with DPoP support and created an
+`OidcClient` instance, you can use this instance to create an `HttpMessageHandler` which
+will:
+
+- manage access and refresh tokens
+- add DPoP proof tokens to HTTP requests
+
+The `OidcClient` provides `CreateDPoPHandler` as a convenience method to create such a handler,
+which can be used with the .NET `HttpClient`.
+
+```csharp
+// Program.cs
+var sessionRefreshToken = "..."; // read from a previous session, if any
+
+var handler = oidcClient.CreateDPoPHandler(jwk, sessionRefreshToken);
+var apiClient = new HttpClient(handler);
+```
+
+For a full example, have a look at our [WPF with the system browser](https://github.com/DuendeSoftware/foss/tree/main/identity-model-oidc-client/samples/Wpf) sample.
+
+[dpop-spec]: https://datatracker.ietf.org/doc/html/rfc9449

src/content/docs/identitymodel-oidcclient/index.mdx

@@ -17,7 +17,7 @@ relying party implementation.**
 
 The `Duende.IdentityModel.OidcClient` library is a certified OpenID Connect relying party and
 implements [RFC 8252](https://tools.ietf.org/html/rfc8252/), "OAuth 2.0 for native
-Applications". The `Duende.IdentityModel.OidcClient.Extensions` provides support for
+Applications". The `Duende.IdentityModel.OidcClient.Extensions` library provides support for
 [DPoP](https://datatracker.ietf.org/doc/html/rfc9449)
 extensions to Duende.IdentityModel.OidcClient for sender-constraining tokens.
 

src/content/docs/identitymodel-oidcclient/samples.md

@@ -9,8 +9,8 @@ redirect_from:
 ---
 
 Samples of IdentityModel.OidcClient are available [on
-GitHub](https://github.com/IdentityModel/IdentityModel.OidcClient.Samples). Our samples
-show how to use a OidcClient with a variety of platforms and UI tools, including:
+GitHub](https://github.com/DuendeSoftware/foss/tree/main/identity-model-oidc-client/samples). Our samples
+show how to use an OidcClient with a variety of platforms and UI tools, including:
 
 - [.NET MAUI](https://github.com/DuendeSoftware/foss/tree/main/identity-model-oidc-client/samples/Maui)
 - [WPF with the system browser](https://github.com/DuendeSoftware/foss/tree/main/identity-model-oidc-client/samples/Wpf)

src/content/docs/identityserver/troubleshooting.mdx

@@ -46,7 +46,7 @@ Core Authentication libraries. If it is not correctly configured it might result
 - The key `{xxxxx-xxxx-xxx-xxx-xxxxxxx}` was not found in the key ring.
 - Failed to unprotect AuthenticationTicket payload for key `{key}`
 
-See [our data protection guide](/identityserver/deployment#data-protection-keys) for more
+See [our data protection guide](/identityserver/deployment#aspnet-core-data-protection) for more
 information.
 
 ## Load Balancing, proxies and TLS offloading