Many dataholders in same organization using the same Auth Server

Joe Shook · Joe Shook · commit 60f636daec48 · 2025-08-18T16:08:56.000-07:00
This is work to fixup the UI to to track with Auth Servers that publish registration endpoints and token endpoints with query parameter to enable a single UDAP client certificate to register different client Ids across multiple dataholders that share the same Authorization server.
diff --git a/Shared/Components/SelectIdP_Dialog.razor b/Shared/Components/SelectIdP_Dialog.razor
@@ -8,7 +8,7 @@
     <DialogContent>
         <MudForm>
             <MudSelect @bind-Value="IdP"
-                       Label="Select Client"
+                       Label="Select Idp hint"
                        Placeholder="Please Select"
                        AdornmentIcon="@Icons.Material.Outlined.ArrowDropDown"
                        AdornmentColor="Color.Primary"
diff --git a/Shared/Extensions/ClientRegistrationFilterExtensions.cs b/Shared/Extensions/ClientRegistrationFilterExtensions.cs
@@ -0,0 +1,39 @@
+using System.Collections.Immutable;
+using UdapEd.Shared.Components;
+using UdapEd.Shared.Model;
+
+namespace UdapEd.Shared.Extensions;
+
+public static class ClientRegistrationFilterExtensions
+{
+    /// <summary>
+    /// Filters registrations to those matching the current certificate (SAN), resource server (BaseUrl),
+    /// plus any optional additional predicate.
+    /// </summary>
+    public static IDictionary<string, ClientRegistration?> FilterRegistrations(
+        this ClientRegistrations? source,
+        CascadingAppState appState,
+        Func<ClientRegistration, bool>? predicate = null)
+    {
+        if (source?.Registrations == null ||
+            appState.UdapClientCertificateInfo == null ||
+            appState.UdapClientCertificateInfo?.SubjectAltNames == null)
+        {
+            return new Dictionary<string, ClientRegistration?>();
+        }
+
+        var query = source.Registrations.Where(r =>
+            r.Value != null &&
+            appState.UdapClientCertificateInfo.SubjectAltNames.Contains(r.Value.SubjAltName) &&
+            appState.BaseUrl == r.Value.ResourceServer &&
+            appState.MetadataVerificationModel?.UdapServerMetaData?.RegistrationEndpoint == r.Value.RegistrationUrl);
+
+        if (predicate != null)
+        {
+            query = query.Where(r => r.Value != null && predicate(r.Value));
+        }
+
+        // Preserve existing usage that calls ToImmutableDictionary()
+        return query.ToImmutableDictionary();
+    }
+}
diff --git a/Shared/Model/ClientRegistrations.cs b/Shared/Model/ClientRegistrations.cs
@@ -34,7 +34,8 @@ public class ClientRegistrations
                 AuthServer = registrationDocument.Audience,
                 ResourceServer = resourceServer,
                 RedirectUri = registrationDocument.RedirectUris,
-                Scope = resultModelResult.Scope
+                Scope = resultModelResult.Scope,
+                RegistrationUrl = resultModelResult.Audience // Token endpoint
             };
 
             Registrations[resultModelResult.ClientId] = _clientRegistration;
@@ -96,4 +97,5 @@ public class ClientRegistration
     public ICollection<string>? RedirectUri { get; set; }
     public string? Scope { get; set; }
     public string? IdPBaseUrl { get; set; }
+    public string? RegistrationUrl { get; set; }
 }
diff --git a/Shared/Pages/UdapBusinessToBusiness.razor.cs b/Shared/Pages/UdapBusinessToBusiness.razor.cs
@@ -393,7 +393,7 @@ private void BuildAccessTokenRequestVisualForClientCredentials()
         var sb = new StringBuilder();
         sb.AppendLine("POST /token HTTP/1.1");
         sb.AppendLine("Content-Type: application/x-www-form-urlencoded");
-        sb.AppendLine($"Host: {AppState.MetadataVerificationModel?.UdapServerMetaData?.AuthorizationEndpoint}");
+        sb.AppendLine($"Host: {AppState.MetadataVerificationModel?.UdapServerMetaData?.TokenEndpoint}");
         sb.AppendLine("Content-type: application/x-www-form-urlencoded");
         sb.AppendLine();
         sb.AppendLine("grant_type=client_credentials&");
@@ -419,7 +419,7 @@ private void BuildAccessTokenRequestVisualForAuthorizationCode()
 
         var sb = new StringBuilder();
         sb.AppendLine("POST /token HTTP/1.1");
-        sb.AppendLine($"Host: {AppState.MetadataVerificationModel?.UdapServerMetaData?.AuthorizationEndpoint}");
+        sb.AppendLine($"Host: {AppState.MetadataVerificationModel?.UdapServerMetaData?.TokenEndpoint}");
         sb.AppendLine("Content-type: application/x-www-form-urlencoded");
         sb.AppendLine();
         sb.AppendLine("grant_type=authorization_code&");
@@ -556,15 +556,7 @@ public string DeviceLoginCallback(bool reset = false)
 
     private IDictionary<string, ClientRegistration?> FilterRegistrations()
     {
-        return AppState.ClientRegistrations.Registrations
-            .Where(r => r.Value != null && 
-                        AppState.UdapClientCertificateInfo != null &&
-                        AppState.UdapClientCertificateInfo.SubjectAltNames.Contains(r.Value.SubjAltName) &&
-                        AppState.BaseUrl == r.Value.ResourceServer)
-            .ToImmutableDictionary();
+        return AppState.ClientRegistrations.FilterRegistrations(AppState);
     }
-
-    
-
 }
 
diff --git a/Shared/Pages/UdapConsumer.razor.cs b/Shared/Pages/UdapConsumer.razor.cs
@@ -470,12 +470,8 @@ private string GetJwtHeader(string? tokenString)
 
     private IDictionary<string, ClientRegistration?> FilterRegistrations()
     {
-        return AppState.ClientRegistrations.Registrations
-            .Where(r => r.Value != null &&
-                        r.Value.UserFlowSelected.Equals("authorization_code") &&
-                        AppState.UdapClientCertificateInfo != null &&
-                        AppState.UdapClientCertificateInfo.SubjectAltNames.Contains(r.Value.SubjAltName) &&
-                        AppState.BaseUrl == r.Value.ResourceServer)
-            .ToImmutableDictionary();
+        return AppState.ClientRegistrations.FilterRegistrations(
+            AppState,
+            r => r.UserFlowSelected.Equals("authorization_code")); ;
     }
 }
diff --git a/Shared/Pages/UdapRegistration.razor.cs b/Shared/Pages/UdapRegistration.razor.cs
@@ -7,22 +7,23 @@
 // */
 #endregion
 
-using System.Net.NetworkInformation;
-using System.Reflection;
-using System.Text.Json;
-using System.Text.Json.Nodes;
-using System.Text.Json.Serialization;
-using System.Text.RegularExpressions;
 using Google.Api.Gax;
 using Hl7.Fhir.Rest;
 using Microsoft.AspNetCore.Components;
 using Microsoft.AspNetCore.Components.Web;
 using Microsoft.IdentityModel.Tokens;
 using Microsoft.JSInterop;
 using Org.BouncyCastle.Ocsp;
+using System.Net.NetworkInformation;
+using System.Reflection;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+using System.Text.Json.Serialization;
+using System.Text.RegularExpressions;
 using Udap.Model;
 using Udap.Model.Registration;
 using UdapEd.Shared.Components;
+using UdapEd.Shared.Extensions;
 using UdapEd.Shared.Model;
 using UdapEd.Shared.Model.Registration;
 using UdapEd.Shared.Services;
@@ -867,12 +868,11 @@ private IEnumerable<ClientRegistration?>? CurrentClientRegistrations
     {
         get
         {
-            return AppState.ClientRegistrations?.Registrations
-                .Where(r => r.Value != null &&
-                            AppState.UdapClientCertificateInfo != null &&
-                            AppState.UdapClientCertificateInfo.SubjectAltNames.Contains(r.Value.SubjAltName) &&
-                            AppState.BaseUrl == r.Value.ResourceServer)
-                .Select(r => r.Value);
+            var filtered = AppState.ClientRegistrations?.FilterRegistrations(
+                AppState,
+                r => AppState.MetadataVerificationModel?.UdapServerMetaData?.RegistrationEndpoint == r.RegistrationUrl);
+
+            return filtered?.Values;
         }
     }
     
diff --git a/Shared/Pages/UdapTieredOAuth.razor.cs b/Shared/Pages/UdapTieredOAuth.razor.cs
@@ -479,14 +479,10 @@ public string DeviceLoginCallback(bool reset = false)
 
     private IDictionary<string, ClientRegistration?>? FilterRegistrations()
     {
-        return AppState.ClientRegistrations?.Registrations
-            .Where(r => r.Value != null &&
-                        r.Value.UserFlowSelected != "client_credentials" &&
-                        r.Value.Scope != null &&
-                        r.Value.Scope.Contains("udap") && 
-                        AppState.UdapClientCertificateInfo != null &&
-                        AppState.UdapClientCertificateInfo.SubjectAltNames.Contains(r.Value.SubjAltName) &&
-                        AppState.BaseUrl == r.Value.ResourceServer)
-            .ToImmutableDictionary();
+        return AppState.ClientRegistrations?.FilterRegistrations(
+            AppState,
+            r => r.UserFlowSelected != "client_credentials" &&
+                 !string.IsNullOrEmpty(r.Scope) &&
+                 r.Scope.Contains("udap"));
     }
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -470,12 +470,8 @@ private string GetJwtHeader(string? tokenString)`
`470`	`470`
`471`	`471`	`private IDictionary<string, ClientRegistration?> FilterRegistrations()`
`472`	`472`	`{`
`473`		`- return AppState.ClientRegistrations.Registrations`
`474`		`- .Where(r => r.Value != null &&`
`475`		`- r.Value.UserFlowSelected.Equals("authorization_code") &&`
`476`		`- AppState.UdapClientCertificateInfo != null &&`
`477`		`- AppState.UdapClientCertificateInfo.SubjectAltNames.Contains(r.Value.SubjAltName) &&`
`478`		`- AppState.BaseUrl == r.Value.ResourceServer)`
`479`		`- .ToImmutableDictionary();`
	`473`	`+ return AppState.ClientRegistrations.FilterRegistrations(`
	`474`	`+ AppState,`
	`475`	`+ r => r.UserFlowSelected.Equals("authorization_code")); ;`
`480`	`476`	`}`
`481`	`477`	`}`