Add support for token endpoint parameters

Added support for supplying custom parameters in body,
headers and body for the token endpoint request.

This is a breaking change since the configuration has
changed.

Author: runegulbrandsen

.gitignore

@@ -344,5 +344,8 @@ healthchecksdb
 /test/coverage.opencover.xml
 /test/result.json
 
+# POC related
+/poc
+
 # Custom exclusions
 *.AssemblyAttributes

README.md

@@ -70,7 +70,8 @@ Authentication using OAuth2.
 
 ##### Client credentials
 
-Using OAuth2 client credentials, all settings except `DisableTokenCache` and `Scope` is required.
+Using OAuth2 client credentials, all settings except `DisableTokenCache`, `Scope` and
+`TokenEndpoint`'s `Additional*Parameters` is required.
 
 ```
 "<section name>": {
@@ -79,7 +80,15 @@ Using OAuth2 client credentials, all settings except `DisableTokenCache` and `Sc
     "DisableTokenCache": false,
     "GrantType": "ClientCredentials",
     "Scope": "<Optional scopes separated by space>",
-    "TokenEndpoint": "<OAuth2 token endpoint>",
+    "TokenEndpoint": {
+        "Url": "<OAuth2 token endpoint>",
+        "AdditionalHeaderParameters": {
+        },
+        "AdditionalBodyParameters": {
+        },
+        "AdditionalQueryParameters": {
+        }
+    },
     "ClientCredentials": {
         "ClientId": "<Unique client id>",
         "ClientSecret": "<Secret connected to the client id>"
@@ -88,8 +97,9 @@ Using OAuth2 client credentials, all settings except `DisableTokenCache` and `Sc
 }
 ```
 
-> **NOTE**: The previous `AuthorizationEndpoint` is replaced by `TokenEndpoint`. It still exists,
-but is obsoleted and will be removed in a later version.
+The `Additional*Parameters` configuration is dynamic, any configuration in these will 
+be added to their respective parts of the request accordingly. Please note that the 
+`AdditionalQueryParameters` will be url encoded.
 
 ### Examples
 

src/HttpClientAuthentication/Configuration/OAuth2Configuration.cs

@@ -10,16 +10,6 @@ namespace KISS.HttpClientAuthentication.Configuration
     /// </summary>
     public sealed class OAuth2Configuration
     {
-        /// <summary>
-        ///     Gets or sets the authorization endpoint used by some <see cref="AuthenticationProvider"/>
-        ///     configuration.
-        /// </summary>
-        /// <remarks>
-        ///     Obsolete: Use <see cref="TokenEndpoint"/> instead.
-        /// </remarks>
-        [Obsolete("Use TokenEndpoint instead.")]
-        public Uri AuthorizationEndpoint { get => TokenEndpoint; set => TokenEndpoint = value; }
-
         /// <summary>
         ///     Gets or sets the authorization scheme to use if <see cref="AuthenticationHeader"/> is 
         ///     Authorization or the selected <see cref="AuthenticationProvider"/> uses Authorization as default header.
@@ -58,6 +48,6 @@ public sealed class OAuth2Configuration
         /// <remarks>
         ///     Replaces <see cref="AuthorizationEndpoint"/>.
         /// </remarks>
-        public Uri TokenEndpoint { get; set; } = default!;
+        public OAuth2Endpoint TokenEndpoint { get; set; } = default!;
     }
 }

src/HttpClientAuthentication/Configuration/OAuth2Endpoint.cs

@@ -0,0 +1,40 @@
+// Copyright © 2025 Rune Gulbrandsen.
+// All rights reserved. Licensed under the MIT License; see LICENSE.txt.
+
+namespace KISS.HttpClientAuthentication.Configuration
+{
+    /// <summary>
+    ///     Endpoint configuration for OAuth2 endpoints
+    /// </summary>
+    public sealed partial class OAuth2Endpoint
+    {
+        /// <summary>
+        ///     Gets or sets the Url to the OAuth2 endpoint.
+        /// </summary>
+        public Uri Url { get; set; } = default!;
+
+        /// <summary>
+        ///     Gets a dictionary that can contain additional headers that will be
+        ///     supplied when requesting <see cref="Url"/>.
+        /// </summary>
+        public Dictionary<string, string> AdditionalHeaderParameters { get; } = [];
+
+
+        /// <summary>
+        ///     Gets a collection of additional form body parameters that will be
+        ///     supplied when requesting <see cref="Url"/>.
+        /// </summary>
+        public Dictionary<string, string> AdditionalBodyParameters { get; } = [];
+
+        /// <summary>
+        ///     Gets a collection of additional query string parameters that will
+        ///     be supplied when requesting <see cref="Url"/>.
+        /// </summary>
+        public Dictionary<string, string> AdditionalQueryParameters { get; } = [];
+
+        public override string ToString()
+        {
+            return Url.ToString();
+        }
+    }
+}

src/HttpClientAuthentication/Helpers/OAuth2Provider.cs

@@ -1,8 +1,8 @@
 // Copyright © 2025 Rune Gulbrandsen.
 // All rights reserved. Licensed under the MIT License; see LICENSE.txt.
 
+using System.Globalization;
 using System.Net;
-using System.Net.Http.Headers;
 using System.Text;
 using System.Text.Json;
 using KISS.HttpClientAuthentication.Configuration;
@@ -23,48 +23,30 @@ internal sealed class OAuth2Provider(IHttpClientFactory clientFactory, ILogger<O
         /// <inheritdoc />
         public async ValueTask<AccessTokenResponse?> GetClientCredentialsAccessTokenAsync(OAuth2Configuration configuration, CancellationToken cancellationToken = default)
         {
-            if (configuration.GrantType is not OAuth2GrantType.ClientCredentials)
-            {
-                throw new ArgumentException($"{nameof(configuration.GrantType)} must be {OAuth2GrantType.ClientCredentials}.", nameof(configuration));
-            }
-
-            if (configuration.ClientCredentials is null)
-            {
-                throw new ArgumentException($"No valid {nameof(configuration.ClientCredentials)} found.", nameof(configuration));
-            }
-
-            if (string.IsNullOrWhiteSpace(configuration.ClientCredentials.ClientId))
-            {
-                throw new ArgumentException($"{nameof(configuration.ClientCredentials)}.{nameof(configuration.ClientCredentials.ClientId)} must be specified.",
-                                            nameof(configuration));
-            }
-
-            if (string.IsNullOrWhiteSpace(configuration.ClientCredentials.ClientSecret))
-            {
-                throw new ArgumentException($"{nameof(configuration.ClientCredentials)}.{nameof(configuration.ClientCredentials.ClientSecret)} must be specified.",
-                                            nameof(configuration));
-            }
-
+            ValidateClientCredentialParameters(configuration);
 
             string cacheKey = $"{configuration.GrantType}#{configuration.TokenEndpoint}#{configuration.ClientCredentials!.ClientId}";
 
-            if (memoryCache.TryGetValue(cacheKey, out AccessTokenResponse? token))
+            AccessTokenResponse? token;
+
+            if (!configuration.DisableTokenCache)
             {
-                logger.LogInformation("Token for {TokenEndpoint} with client id {ClientId} found in cache, using this.",
-                                      configuration.TokenEndpoint, configuration.ClientCredentials.ClientId);
-                return token;
-            }
+                if (memoryCache.TryGetValue(cacheKey, out token))
+                {
+                    logger.LogDebug("Token for {TokenEndpoint} with client id {ClientId} found in cache, using this.",
+                                          configuration.TokenEndpoint, configuration.ClientCredentials.ClientId);
+                    return token;
+                }
 
-            logger.LogDebug("Could not find existing token in cache, requesting token from endpoint {TokenEndpoint} with client id {ClientId}.",
+                logger.LogDebug("Could not find existing token in cache, requesting token from endpoint {TokenEndpoint} with client id {ClientId}.",
                             configuration.TokenEndpoint, configuration.ClientCredentials.ClientId);
+            }
 
-            using FormUrlEncodedContent requestContent = GetClientCredentialsContent(configuration.ClientCredentials!, configuration.Scope);
+            using HttpRequestMessage request = GetTokenRequest(configuration);
 
-            using HttpResponseMessage result = configuration.ClientCredentials!.UseBasicAuthorizationHeader
-                ? await PostWithBasicAuthenticationAsync(configuration, requestContent, cancellationToken).ConfigureAwait(false)
-                : await _client.PostAsync(configuration.TokenEndpoint, requestContent, cancellationToken).ConfigureAwait(false);
+            using HttpResponseMessage response = await _client.SendAsync(request, cancellationToken);
 
-            token = await ParseResponseAsync(configuration, result, cancellationToken).ConfigureAwait(false);
+            token = await ParseResponseAsync(configuration, response, cancellationToken).ConfigureAwait(false);
 
             if (token is null)
             {
@@ -73,59 +55,115 @@ internal sealed class OAuth2Provider(IHttpClientFactory clientFactory, ILogger<O
 
             if (configuration.DisableTokenCache)
             {
-                logger.LogInformation("Token retrieved from {TokenEndpoint} with client id {ClientId}, but the token cache is disabled.",
+                logger.LogDebug("Token retrieved from {TokenEndpoint} with client id {ClientId}, but the token cache is disabled.",
                                       configuration.TokenEndpoint, configuration.ClientCredentials!.ClientId);
             }
             else if (token.ExpiresIn > 0)
             {
                 double cacheExpiresIn = (int)token.ExpiresIn * 0.95;
                 memoryCache.Set(cacheKey, token, TimeSpan.FromSeconds(cacheExpiresIn));
 
-                logger.LogInformation("Token retrieved from {TokenEndpoint} with client id {ClientId} and cached for {CacheExpiresIn} seconds.",
+                logger.LogDebug("Token retrieved from {TokenEndpoint} with client id {ClientId} and cached for {CacheExpiresIn} seconds.",
                                       configuration.TokenEndpoint, configuration.ClientCredentials!.ClientId, cacheExpiresIn);
             }
             else
             {
-                logger.LogInformation("Token retrieved from {TokenEndpoint} with client id {ClientId}, but not cached since it is missing expires_in information.",
+                logger.LogDebug("Token retrieved from {TokenEndpoint} with client id {ClientId}, but not cached since it is missing expires_in information.",
                                       configuration.TokenEndpoint, configuration.ClientCredentials!.ClientId);
             }
 
             return token;
         }
 
-        private static FormUrlEncodedContent GetClientCredentialsContent(ClientCredentialsConfiguration configuration, string? scope)
+        private static void AddTokenRequestHeaders(HttpRequestMessage request, OAuth2Configuration configuration)
+        {
+            if (configuration.ClientCredentials!.UseBasicAuthorizationHeader)
+            {
+                string encodedAuthorization = Convert.ToBase64String(
+                    Encoding.ASCII.GetBytes($"{configuration.ClientCredentials!.ClientId}:{configuration.ClientCredentials.ClientSecret}"));
+
+                request.Headers.Authorization = new("Basic", encodedAuthorization);
+            }
+
+            foreach (KeyValuePair<string, string> parameter in configuration.TokenEndpoint.AdditionalHeaderParameters)
+            {
+                request.Headers.Add(parameter.Key, parameter.Value);
+            }
+        }
+
+        private static FormUrlEncodedContent GetClientCredentialsContent(OAuth2Configuration configuration)
         {
             Dictionary<string, string> requestBody = new()
             {
                 { OAuth2Keyword.GrantType, OAuth2Keyword.ClientCredentials }
             };
 
-            if (!configuration.UseBasicAuthorizationHeader)
+            if (!configuration.ClientCredentials!.UseBasicAuthorizationHeader)
+            {
+                requestBody.Add(OAuth2Keyword.ClientId, configuration.ClientCredentials.ClientId);
+                requestBody.Add(OAuth2Keyword.ClientSecret, configuration.ClientCredentials.ClientSecret);
+            }
+
+            if (!string.IsNullOrWhiteSpace(configuration.Scope))
             {
-                requestBody.Add(OAuth2Keyword.ClientId, configuration.ClientId);
-                requestBody.Add(OAuth2Keyword.ClientSecret, configuration.ClientSecret);
+                requestBody.Add(OAuth2Keyword.Scope, configuration.Scope.Trim());
             }
 
-            if (!string.IsNullOrWhiteSpace(scope))
+            foreach (KeyValuePair<string, string> parameter in configuration.TokenEndpoint.AdditionalBodyParameters)
             {
-                requestBody.Add(OAuth2Keyword.Scope, scope!.Trim());
+                requestBody.Add(parameter.Key, parameter.Value);
             }
 
-            return new FormUrlEncodedContent(requestBody!);
+            return new FormUrlEncodedContent(requestBody);
         }
 
-        private async Task<AccessTokenResponse?> ParseResponseAsync(OAuth2Configuration configuration, HttpResponseMessage result,
+        private static Uri GetCompleteTokenUrl(OAuth2Endpoint tokenEndpoint)
+        {
+            if (tokenEndpoint.AdditionalQueryParameters.Count == 0)
+            {
+                return tokenEndpoint.Url;
+            }
+
+            UriBuilder uriBuilder = new(tokenEndpoint.Url);
+
+            StringBuilder stringBuilder = new();
+
+            foreach (KeyValuePair<string, string> parameter in tokenEndpoint.AdditionalQueryParameters)
+            {
+                stringBuilder.Append(CultureInfo.InvariantCulture, $"{parameter.Key}={WebUtility.UrlEncode(parameter.Value)}");
+            }
+
+            stringBuilder.Replace("&", "?", 0, 1);
+
+            uriBuilder.Query = stringBuilder.ToString();
+
+            return uriBuilder.Uri;
+        }
+
+        private static HttpRequestMessage GetTokenRequest(OAuth2Configuration configuration)
+        {
+            HttpRequestMessage request = new(HttpMethod.Get, GetCompleteTokenUrl(configuration.TokenEndpoint))
+            {
+                Method = HttpMethod.Post,
+                Content = GetClientCredentialsContent(configuration)
+            };
+
+            AddTokenRequestHeaders(request, configuration);
+            return request;
+        }
+
+        private async Task<AccessTokenResponse?> ParseResponseAsync(OAuth2Configuration configuration, HttpResponseMessage response,
                                                                     CancellationToken cancellationToken)
         {
-            string body = await result.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            string body = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
 
-            if (!result.IsSuccessStatusCode)
+            if (!response.IsSuccessStatusCode)
             {
-                if (result.StatusCode != HttpStatusCode.BadRequest ||
-                    !TryParseAndLogOAuth2Error(body, configuration.TokenEndpoint, configuration.ClientCredentials!.ClientId))
+                if (response.StatusCode != HttpStatusCode.BadRequest ||
+                    !TryParseAndLogOAuth2Error(body, configuration.TokenEndpoint.Url, configuration.ClientCredentials!.ClientId))
                 {
                     logger.LogError("Could not authenticate against {TokenEndpoint}, the returned status code was {StatusCode}. Response body: {Body}.",
-                                    configuration.TokenEndpoint, result.StatusCode, body);
+                                    configuration.TokenEndpoint, response.StatusCode, body);
                 }
 
                 return null;
@@ -150,26 +188,6 @@ private static FormUrlEncodedContent GetClientCredentialsContent(ClientCredentia
             return token;
         }
 
-        private async Task<HttpResponseMessage> PostWithBasicAuthenticationAsync(OAuth2Configuration configuration, FormUrlEncodedContent requestContent,
-                                                                           CancellationToken cancellationToken)
-        {
-            string encodedAuthorization = Convert.ToBase64String(
-                Encoding.ASCII.GetBytes($"{configuration.ClientCredentials!.ClientId}:{configuration.ClientCredentials.ClientSecret}"));
-
-            using HttpRequestMessage request = new()
-            {
-                Content = requestContent,
-                Method = HttpMethod.Post,
-                RequestUri = configuration.TokenEndpoint,
-                Headers =
-                {
-                    Authorization = new AuthenticationHeaderValue("Basic", encodedAuthorization)
-                }
-            };
-
-            return await _client.SendAsync(request, cancellationToken).ConfigureAwait(false);
-        }
-
         private bool TryParseAndLogOAuth2Error(string errorContent, Uri tokenEndpoint, string? clientId)
         {
             ErrorResponse? response = null;
@@ -220,5 +238,40 @@ private bool TryParseAndLogOAuth2Error(string errorContent, Uri tokenEndpoint, s
 
             return true;
         }
+
+        private static void ValidateClientCredentialParameters(OAuth2Configuration configuration)
+        {
+            if (configuration.GrantType is not OAuth2GrantType.ClientCredentials)
+            {
+                throw new ArgumentException($"{nameof(configuration.GrantType)} must be {OAuth2GrantType.ClientCredentials}.", nameof(configuration));
+            }
+
+            if (configuration.ClientCredentials is null)
+            {
+                throw new ArgumentException($"{nameof(configuration.ClientCredentials)} is null.", nameof(configuration));
+            }
+
+            if (string.IsNullOrWhiteSpace(configuration.ClientCredentials.ClientId))
+            {
+                throw new ArgumentException($"{nameof(configuration.ClientCredentials)}.{nameof(configuration.ClientCredentials.ClientId)} must be specified.",
+                                            nameof(configuration));
+            }
+
+            if (string.IsNullOrWhiteSpace(configuration.ClientCredentials.ClientSecret))
+            {
+                throw new ArgumentException($"{nameof(configuration.ClientCredentials)}.{nameof(configuration.ClientCredentials.ClientSecret)} must be specified.",
+                                            nameof(configuration));
+            }
+
+            if (configuration.TokenEndpoint is null)
+            {
+                throw new ArgumentException($"{nameof(configuration.TokenEndpoint)} is null.", nameof(configuration));
+            }
+
+            if (configuration.TokenEndpoint.Url is null)
+            {
+                throw new ArgumentException($"{nameof(configuration.TokenEndpoint)}.{nameof(configuration.TokenEndpoint.Url)} must be specified.", nameof(configuration));
+            }
+        }
     }
 }