Merge pull request #21 from jokk-itu/feature/step-up-authentication

jokk-itu · web-flow · commit 52b6af40f660 · 2025-02-23T13:15:14.000+01:00
Feature/step up authentication
diff --git a/src/AuthServer/Core/Parameter.cs b/src/AuthServer/Core/Parameter.cs
@@ -89,6 +89,8 @@ public static class Parameter
     public const string GrantManagementAction = "grant_management_action";
     public const string Scopes = "scopes";
     public const string Claims = "claims";
+    public const string AuthTime = "auth_time";
+    public const string Acr = "acr";
 
     // Custom parameter
     public const string RequireReferenceToken = "require_reference_token";
diff --git a/src/AuthServer/Endpoints/Responses/PostIntrospectionResponse.cs b/src/AuthServer/Endpoints/Responses/PostIntrospectionResponse.cs
@@ -39,4 +39,10 @@ internal class PostIntrospectionResponse
 
     [JsonPropertyName(Parameter.JwtId)]
     public string? JwtId { get; init; }
+
+    [JsonPropertyName(Parameter.AuthTime)]
+    public long? AuthTime { get; init; }
+
+    [JsonPropertyName(Parameter.Acr)]
+    public string? Acr { get; init; }
 }
diff --git a/src/AuthServer/Extensions/DateTimeExtensions.cs b/src/AuthServer/Extensions/DateTimeExtensions.cs
@@ -5,4 +5,4 @@ public static long ToUnixTimeSeconds(this DateTime dateTime)
     {
         return (long)dateTime.Subtract(DateTime.UnixEpoch).TotalSeconds;
     }
-}
+}
diff --git a/src/AuthServer/Introspection/IntrospectionEndpointHandler.cs b/src/AuthServer/Introspection/IntrospectionEndpointHandler.cs
@@ -36,7 +36,9 @@ public async Task<IResult> Handle(HttpContext httpContext, CancellationToken can
                 JwtId = response.JwtId,
                 NotBefore = response.NotBefore,
                 Scope = response.Scope,
-                Subject = response.Subject
+                Subject = response.Subject,
+                AuthTime = response.AuthTime,
+                Acr = response.Acr
             }),
             error => Results.Extensions.OAuthBadRequest(error));
     }
diff --git a/src/AuthServer/Introspection/IntrospectionRequestProcessor.cs b/src/AuthServer/Introspection/IntrospectionRequestProcessor.cs
@@ -1,7 +1,6 @@
 ﻿using AuthServer.Authentication.Abstractions;
 using AuthServer.Core;
 using AuthServer.Core.Abstractions;
-using AuthServer.Core.Request;
 using AuthServer.Entities;
 using AuthServer.Extensions;
 using AuthServer.Metrics;
@@ -33,24 +32,27 @@ public async Task<IntrospectionResponse> Process(IntrospectionValidatedRequest r
             .Select(x => new TokenQuery
             {
                 Token = x,
+                ClientIdFromClientAccessToken = (x as ClientAccessToken)!.Client.Id,
+                ClientIdFromGrantAccessToken = (x as GrantAccessToken)!.AuthorizationGrant.Client.Id,
                 SubjectFromGrantToken = (x as GrantToken)!.AuthorizationGrant.Subject,
                 SubjectFromClientToken = (x as ClientAccessToken)!.Client.Id,
-                SubjectIdentifier = (x as GrantToken)!.AuthorizationGrant.Session.SubjectIdentifier.Id
+                SubjectIdentifier = (x as GrantToken)!.AuthorizationGrant.Session.SubjectIdentifier.Id,
+                AuthTime = (x as GrantToken)!.AuthorizationGrant.AuthTime,
+                Acr = (x as GrantAccessToken)!.AuthorizationGrant.AuthenticationContextReference.Name
             })
             .SingleOrDefaultAsync(cancellationToken: cancellationToken);
 
         var isInvalidToken = query is null;
         var hasExceededExpiration = query?.Token.ExpiresAt < DateTime.UtcNow;
         var isRevoked = query?.Token.RevokedAt is not null;
-
         var scope = query?.Token.Scope?.Split(' ') ?? [];
-        var hasInsufficientScope = !request.Scope.Intersect(scope).Any();
+        var authorizedScope = request.Scope.Intersect(scope).ToList();
 
         /*
          * If active is false, then the requesting client does not need to know more.
          * Therefore, the other optional properties are not set.
          */
-        if (isInvalidToken || hasExceededExpiration || isRevoked || hasInsufficientScope)
+        if (isInvalidToken || hasExceededExpiration || isRevoked || authorizedScope.Count == 0)
         {
             return new IntrospectionResponse
             {
@@ -67,30 +69,38 @@ public async Task<IntrospectionResponse> Process(IntrospectionValidatedRequest r
 
         var subject = query.SubjectFromGrantToken ?? query.SubjectFromClientToken;
 
-        _metricService.AddIntrospectedToken(query.Token is RefreshToken ? TokenTypeTag.RefreshToken : TokenTypeTag.AccessToken);
+        _metricService.AddIntrospectedToken(query.Token is RefreshToken
+            ? TokenTypeTag.RefreshToken
+            : TokenTypeTag.AccessToken);
 
         return new IntrospectionResponse
         {
             Active = token.RevokedAt is null,
             JwtId = token.Id.ToString(),
-            ClientId = request.ClientId,
+            ClientId = query.ClientIdFromClientAccessToken ?? query.ClientIdFromGrantAccessToken,
             ExpiresAt = token.ExpiresAt?.ToUnixTimeSeconds(),
             Issuer = token.Issuer,
             Audience = token.Audience.Split(' '),
             IssuedAt = token.IssuedAt.ToUnixTimeSeconds(),
             NotBefore = token.NotBefore.ToUnixTimeSeconds(),
-            Scope = token.Scope,
+            Scope = string.Join(' ', authorizedScope),
             Subject = subject,
             TokenType = token.TokenType.GetDescription(),
-            Username = username
+            Username = username,
+            AuthTime = query.AuthTime?.ToUnixTimeSeconds(),
+            Acr = query.Acr
         };
     }
 
     private sealed class TokenQuery
     {
         public required Token Token { get; init; }
-        public required string? SubjectFromGrantToken { get; init; }
-        public required string? SubjectFromClientToken { get; init; }
-        public required string? SubjectIdentifier { get; init; }
+        public string? ClientIdFromClientAccessToken { get; init; }
+        public string? ClientIdFromGrantAccessToken { get; init; }
+        public string? SubjectFromGrantToken { get; init; }
+        public string? SubjectFromClientToken { get; init; }
+        public string? SubjectIdentifier { get; init; }
+        public DateTime? AuthTime { get; init; }
+        public string? Acr { get; init; }
     }
 }
diff --git a/src/AuthServer/Introspection/IntrospectionRequestValidator.cs b/src/AuthServer/Introspection/IntrospectionRequestValidator.cs
@@ -1,5 +1,4 @@
-﻿using AuthServer.Authentication;
-using AuthServer.Authentication.Abstractions;
+﻿using AuthServer.Authentication.Abstractions;
 using AuthServer.Cache.Abstractions;
 using AuthServer.Constants;
 using AuthServer.Core.Abstractions;
@@ -63,7 +62,6 @@ public async Task<ProcessResult<IntrospectionValidatedRequest, ProcessError>> Va
 
         return new IntrospectionValidatedRequest
         {
-            ClientId = clientAuthenticationResult.ClientId,
             Token = request.Token!,
             Scope = cachedClient.Scopes
         };
diff --git a/src/AuthServer/Introspection/IntrospectionResponse.cs b/src/AuthServer/Introspection/IntrospectionResponse.cs
@@ -13,4 +13,6 @@ internal class IntrospectionResponse
     public IEnumerable<string> Audience { get; init; } = [];
     public string? Issuer { get; init; }
     public string? JwtId { get; init; }
+    public long? AuthTime { get; init; }
+    public string? Acr { get; init; }
 }
diff --git a/src/AuthServer/Introspection/IntrospectionValidatedRequest.cs b/src/AuthServer/Introspection/IntrospectionValidatedRequest.cs
@@ -1,7 +1,6 @@
 ﻿namespace AuthServer.Introspection;
 internal class IntrospectionValidatedRequest
 {
-    public required string ClientId { get; init; }
     public required string Token { get; init; }
     public required IReadOnlyCollection<string> Scope { get; init; }
 }
diff --git a/src/AuthServer/TokenBuilders/GrantAccessTokenBuilder.cs b/src/AuthServer/TokenBuilders/GrantAccessTokenBuilder.cs
@@ -45,7 +45,8 @@ public async Task<string> BuildToken(GrantAccessTokenArguments arguments, Cancel
                 AuthorizationGrant = x,
                 Client = x.Client,
                 Subject = x.Subject,
-                SessionId = x.Session.Id
+                SessionId = x.Session.Id,
+                Acr = x.AuthenticationContextReference.Name
             })
             .SingleAsync(cancellationToken);
 
@@ -73,7 +74,9 @@ private string BuildStructuredToken(GrantAccessTokenArguments arguments, GrantQu
             { ClaimNameConstants.GrantId, arguments.AuthorizationGrantId },
             { ClaimNameConstants.Sub, grantQuery.Subject },
             { ClaimNameConstants.Sid, grantQuery.SessionId },
-            { ClaimNameConstants.ClientId, grantQuery.Client.Id }
+            { ClaimNameConstants.ClientId, grantQuery.Client.Id },
+            { ClaimNameConstants.AuthTime, grantQuery.AuthorizationGrant.AuthTime.ToUnixTimeSeconds() },
+            { ClaimNameConstants.Acr, grantQuery.Acr }
         };
 
         var now = DateTime.UtcNow;
@@ -110,5 +113,6 @@ private sealed class GrantQuery
         public required Client Client { get; init; }
         public required string SessionId { get; init; }
         public required string Subject { get; init; }
+        public required string Acr { get; init; }
     }
 }
diff --git a/tests/AuthServer.Tests.IntegrationTest/BaseIntegrationTest.cs b/tests/AuthServer.Tests.IntegrationTest/BaseIntegrationTest.cs
@@ -4,6 +4,7 @@
 using AuthServer.Core;
 using AuthServer.Entities;
 using AuthServer.Enums;
+using AuthServer.Helpers;
 using AuthServer.Options;
 using AuthServer.Repositories.Abstractions;
 using AuthServer.Tests.Core;
@@ -175,7 +176,7 @@ protected async Task<string> AddWeatherReadScope()
         return scopeName;
     }
 
-    protected async Task<Client> AddWeatherClient()
+    protected async Task<Client> AddWeatherClient(string plainSecret)
     {
         var dbContext = ServiceProvider.GetRequiredService<AuthorizationDbContext>();
 
@@ -186,6 +187,8 @@ protected async Task<Client> AddWeatherClient()
             ClientUri = "https://weather.authserver.dk"
         };
 
+        client.SetSecret(CryptographyHelper.HashPassword(plainSecret));
+
         await dbContext.AddAsync(client);
         await dbContext.SaveChangesAsync();
 
diff --git a/tests/AuthServer.Tests.IntegrationTest/IntrospectionIntegrationTest.cs b/tests/AuthServer.Tests.IntegrationTest/IntrospectionIntegrationTest.cs
@@ -1,7 +1,10 @@
 ﻿using AuthServer.Constants;
 using AuthServer.Enums;
+using AuthServer.Helpers;
+using AuthServer.Tests.Core;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Xunit.Abstractions;
+using ProofKeyForCodeExchangeHelper = AuthServer.Tests.Core.ProofKeyForCodeExchangeHelper;
 
 namespace AuthServer.Tests.IntegrationTest;
 
@@ -13,11 +16,78 @@ public IntrospectionIntegrationTest(WebApplicationFactory<Program> factory, ITes
     }
 
     [Fact]
-    public async Task Introspection_ActiveToken_ExpectActive()
+    public async Task Introspection_ActiveGrantAccessToken_ExpectActive()
     {
         // Arrange
         var weatherReadScope = await AddWeatherReadScope();
-        var weatherClient = await AddWeatherClient();
+        var weatherClientSecret = CryptographyHelper.GetRandomString(16);
+        var weatherClient = await AddWeatherClient(weatherClientSecret);
+        var identityProviderClient = await AddIdentityProviderClient();
+
+        var registerResponse = await RegisterEndpointBuilder
+            .WithClientName("web-app")
+            .WithRedirectUris(["https://webapp.authserver.dk/callback"])
+            .WithGrantTypes([GrantTypeConstants.AuthorizationCode])
+            .WithScope([weatherReadScope, ScopeConstants.OpenId])
+            .WithRequireReferenceToken()
+            .Post();
+
+        await AddUser();
+        await AddAuthenticationContextReferences();
+
+        var grantId = await CreateAuthorizationGrant(registerResponse.ClientId, [AuthenticationMethodReferenceConstants.Password]);
+        await Consent(UserConstants.SubjectIdentifier, registerResponse.ClientId, [ScopeConstants.OpenId, weatherReadScope], []);
+
+        var proofKeyForCodeExchange = ProofKeyForCodeExchangeHelper.GetProofKeyForCodeExchange();
+        var authorizeResponse = await AuthorizeEndpointBuilder
+            .WithClientId(registerResponse.ClientId)
+            .WithAuthorizeUser(grantId)
+            .WithCodeChallenge(proofKeyForCodeExchange.CodeChallenge)
+            .WithScope([weatherReadScope, ScopeConstants.OpenId])
+            .WithResource([weatherClient.ClientUri!])
+            .Get();
+
+        var tokenResponse = await TokenEndpointBuilder
+            .WithClientId(registerResponse.ClientId)
+            .WithClientSecret(registerResponse.ClientSecret!)
+            .WithCode(authorizeResponse.Code!)
+            .WithCodeVerifier(proofKeyForCodeExchange.CodeVerifier)
+            .WithResource([weatherClient.ClientUri!])
+            .WithGrantType(GrantTypeConstants.AuthorizationCode)
+            .Post();
+
+        // Act
+        var introspectionResponse = await IntrospectionEndpointBuilder
+            .WithClientId(weatherClient.Id)
+            .WithClientSecret(weatherClientSecret)
+            .WithToken(tokenResponse.AccessToken)
+            .WithTokenEndpointAuthMethod(TokenEndpointAuthMethod.ClientSecretBasic)
+            .Post();
+
+        // Arrange
+        Assert.True(introspectionResponse.Active);
+        Assert.NotNull(introspectionResponse.JwtId);
+        Assert.Equal(registerResponse.ClientId, introspectionResponse.ClientId);
+        Assert.NotNull(introspectionResponse.ExpiresAt);
+        Assert.Equal(DiscoveryDocument.Issuer, introspectionResponse.Issuer);
+        Assert.NotNull(introspectionResponse.Audience);
+        Assert.Single(introspectionResponse.Audience);
+        Assert.Equal(weatherClient.ClientUri!, introspectionResponse.Audience.Single());
+        Assert.NotNull(introspectionResponse.IssuedAt);
+        Assert.NotNull(introspectionResponse.NotBefore);
+        Assert.Equal(weatherReadScope, introspectionResponse.Scope);
+        Assert.NotNull(introspectionResponse.Username);
+        Assert.NotNull(introspectionResponse.AuthTime);
+        Assert.NotNull(introspectionResponse.Acr);
+    }
+
+    [Fact]
+    public async Task Introspection_ActiveClientAccessToken_ExpectActive()
+    {
+        // Arrange
+        var weatherReadScope = await AddWeatherReadScope();
+        var weatherClientSecret = CryptographyHelper.GetRandomString(16);
+        var weatherClient = await AddWeatherClient(weatherClientSecret);
 
         var registerResponse = await RegisterEndpointBuilder
             .WithClientName("worker-app")
diff --git a/tests/AuthServer.Tests.IntegrationTest/RevocationIntegrationTest.cs b/tests/AuthServer.Tests.IntegrationTest/RevocationIntegrationTest.cs
@@ -2,6 +2,7 @@
 using AuthServer.Core;
 using AuthServer.Entities;
 using AuthServer.Enums;
+using AuthServer.Helpers;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
@@ -21,7 +22,8 @@ public async Task Revocation_ActiveToken_ExpectRevoked()
     {
         // Arrange
         var weatherReadScope = await AddWeatherReadScope();
-        var weatherClient = await AddWeatherClient();
+        var weatherClientSecret = CryptographyHelper.GetRandomString(16);
+        var weatherClient = await AddWeatherClient(weatherClientSecret);
 
         var registerResponse = await RegisterEndpointBuilder
             .WithClientName("worker-app")
diff --git a/tests/AuthServer.Tests.IntegrationTest/TokenIntegrationTest.cs b/tests/AuthServer.Tests.IntegrationTest/TokenIntegrationTest.cs
@@ -1,9 +1,11 @@
-﻿using Microsoft.AspNetCore.Mvc.Testing;
-using AuthServer.Constants;
+﻿using AuthServer.Constants;
 using AuthServer.Enums;
+using AuthServer.Helpers;
 using AuthServer.Tests.Core;
 using AuthServer.TokenDecoders;
+using Microsoft.AspNetCore.Mvc.Testing;
 using Xunit.Abstractions;
+using ProofKeyForCodeExchangeHelper = AuthServer.Tests.Core.ProofKeyForCodeExchangeHelper;
 
 namespace AuthServer.Tests.IntegrationTest;
 public class TokenIntegrationTest : BaseIntegrationTest
@@ -18,7 +20,8 @@ public async Task Token_AuthorizationCodeGrant_ExpectTokens()
     {
         // Arrange
         var weatherReadScope = await AddWeatherReadScope();
-        var weatherClient = await AddWeatherClient();
+        var weatherClientSecret = CryptographyHelper.GetRandomString(16);
+        var weatherClient = await AddWeatherClient(weatherClientSecret);
         var identityProviderClient = await AddIdentityProviderClient();
 
         var registerResponse = await RegisterEndpointBuilder
@@ -68,7 +71,8 @@ public async Task Token_RefreshTokenGrant_ExpectTokens()
     {
         // Arrange
         var weatherReadScope = await AddWeatherReadScope();
-        var weatherClient = await AddWeatherClient();
+        var weatherClientSecret = CryptographyHelper.GetRandomString(16);
+        var weatherClient = await AddWeatherClient(weatherClientSecret);
 
         var registerResponse = await RegisterEndpointBuilder
             .WithClientName("web-app")
@@ -126,7 +130,8 @@ public async Task Token_ClientCredentialsGrantWithPrivateKeyJwt_ExpectAccessToke
     {
         // Arrange
         var weatherReadScope = await AddWeatherReadScope();
-        var weatherClient = await AddWeatherClient();
+        var weatherClientSecret = CryptographyHelper.GetRandomString(16);
+        var weatherClient = await AddWeatherClient(weatherClientSecret);
         var jwks = ClientJwkBuilder.GetClientJwks();
 
         var registerResponse = await RegisterEndpointBuilder
diff --git a/tests/AuthServer.Tests.UnitTest/Introspection/IntrospectionRequestProcessorTest.cs b/tests/AuthServer.Tests.UnitTest/Introspection/IntrospectionRequestProcessorTest.cs
diff --git a/tests/AuthServer.Tests.UnitTest/Introspection/IntrospectionRequestValidatorTest.cs b/tests/AuthServer.Tests.UnitTest/Introspection/IntrospectionRequestValidatorTest.cs
diff --git a/tests/AuthServer.Tests.UnitTest/TokenBuilders/GrantAccessTokenBuilderTest.cs b/tests/AuthServer.Tests.UnitTest/TokenBuilders/GrantAccessTokenBuilderTest.cs

Original file line number	Diff line number	Diff line change
`@@ -5,4 +5,4 @@ public static long ToUnixTimeSeconds(this DateTime dateTime)`
`5`	`5`	`{`
`6`	`6`	`return (long)dateTime.Subtract(DateTime.UnixEpoch).TotalSeconds;`
`7`	`7`	`}`
`8`		`-}`
	`8`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -13,4 +13,6 @@ internal class IntrospectionResponse`
`13`	`13`	`public IEnumerable<string> Audience { get; init; } = [];`
`14`	`14`	`public string? Issuer { get; init; }`
`15`	`15`	`public string? JwtId { get; init; }`
	`16`	`+ public long? AuthTime { get; init; }`
	`17`	`+ public string? Acr { get; init; }`
`16`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`namespace AuthServer.Introspection;`
`2`	`2`	`internal class IntrospectionValidatedRequest`
`3`	`3`	`{`
`4`		`- public required string ClientId { get; init; }`
`5`	`4`	`public required string Token { get; init; }`
`6`	`5`	`public required IReadOnlyCollection<string> Scope { get; init; }`
`7`	`6`	`}`