Merge pull request #28 from jokk-itu/feature/parallelize-backchannel-logout

Author: jokk-itu

src/AuthServer.TestClient/Pages/Index.cshtml.cs

@@ -1,4 +1,3 @@
-using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace AuthServer.TestClient.Pages;

src/AuthServer/Authentication/Abstractions/IClientLogoutService.cs

@@ -3,12 +3,12 @@
 internal interface IClientLogoutService
 {
     /// <summary>
-    /// Requests the client's backchannel logout endpoint.
+    /// Requests logout for all provided clients at the backchannel logout endpoint.
     /// </summary>
-    /// <param name="clientId"></param>
+    /// <param name="clientIds"></param>
     /// <param name="sessionId"></param>
     /// <param name="subjectIdentifier"></param>
     /// <param name="cancellationToken"></param>
     /// <returns></returns>
-    Task Logout(string clientId, string? sessionId, string? subjectIdentifier, CancellationToken cancellationToken);
+    Task Logout(IReadOnlyCollection<string> clientIds, string? sessionId, string? subjectIdentifier, CancellationToken cancellationToken);
 }

src/AuthServer/Authentication/ClientJwkService.cs

@@ -84,8 +84,6 @@ public async Task<IEnumerable<JsonWebKey>> GetKeys(string clientId, string use,
 
     private async Task<string> RefreshJwks(string? clientId, string jwksUri, CancellationToken cancellationToken)
     {
-        // TODO implement a Timeout to reduce Denial-Of-Service attacks
-        // TODO implement retry delegate handler (5XX and 429)
         try
         {
             using var httpClient = _httpClientFactory.CreateClient(HttpClientNameConstants.Client);

src/AuthServer/Authentication/ClientLogoutService.cs

@@ -1,6 +1,6 @@
 using AuthServer.Authentication.Abstractions;
-using AuthServer.Cache.Abstractions;
 using AuthServer.Core;
+using AuthServer.Entities;
 using AuthServer.TokenBuilders;
 using AuthServer.TokenBuilders.Abstractions;
 using Microsoft.Extensions.Logging;
@@ -10,54 +10,68 @@ internal class ClientLogoutService : IClientLogoutService
 {
     private readonly IHttpClientFactory _httpClientFactory;
     private readonly ITokenBuilder<LogoutTokenArguments> _tokenBuilder;
-    private readonly ICachedClientStore _cachedClientStore;
     private readonly ILogger<ClientLogoutService> _logger;
+    private readonly AuthorizationDbContext _authorizationDbContext;
 
     public ClientLogoutService(
         IHttpClientFactory httpClientFactory,
         ITokenBuilder<LogoutTokenArguments> tokenBuilder,
-        ICachedClientStore cachedClientStore,
-        ILogger<ClientLogoutService> logger)
+        ILogger<ClientLogoutService> logger,
+        AuthorizationDbContext authorizationDbContext)
     {
         _httpClientFactory = httpClientFactory;
         _tokenBuilder = tokenBuilder;
-        _cachedClientStore = cachedClientStore;
         _logger = logger;
+        _authorizationDbContext = authorizationDbContext;
     }
 
-    public async Task Logout(string clientId, string? sessionId, string? subjectIdentifier, CancellationToken cancellationToken)
+    public async Task Logout(IReadOnlyCollection<string> clientIds, string? sessionId, string? subjectIdentifier, CancellationToken cancellationToken)
     {
-        var client = await _cachedClientStore.Get(clientId, cancellationToken);
-
-        var httpClient = _httpClientFactory.CreateClient(HttpClientNameConstants.Client);
-        var logoutToken = await _tokenBuilder.BuildToken(new LogoutTokenArguments
+        var logoutRequests = new List<LogoutRequest>();
+        foreach (var clientId in clientIds)
         {
-            ClientId = clientId,
-            SessionId = sessionId,
-            SubjectIdentifier = subjectIdentifier
-        }, cancellationToken);
+            var logoutToken = await _tokenBuilder.BuildToken(
+                new LogoutTokenArguments
+                {
+                    ClientId = clientId,
+                    SessionId = sessionId,
+                    SubjectIdentifier = subjectIdentifier
+                },
+                cancellationToken);
 
-        var body = new Dictionary<string, string>
-        {
-            { Parameter.LogoutToken, logoutToken }
-        };
+            var client = (await _authorizationDbContext.FindAsync<Client>([clientId], cancellationToken))!;
 
-        var httpRequestMessage = new HttpRequestMessage(HttpMethod.Post, client.BackchannelLogoutUri)
-        {
-            Content = new FormUrlEncodedContent(body)
-        };
+            logoutRequests.Add(new LogoutRequest(clientId, client.BackchannelLogoutUri!, logoutToken));
+        }
 
-        // TODO Implement retry for 5XX and 429
-        // TODO Implement Timeout to remove denial-of-service attacks
+        await Parallel.ForEachAsync(
+            logoutRequests,
+            cancellationToken,
+            async (logoutRequest, innerToken) =>
+            {
+                var httpClient = _httpClientFactory.CreateClient(HttpClientNameConstants.Client);
 
-        try
-        {
-            var response = await httpClient.SendAsync(httpRequestMessage, cancellationToken);
-            response.EnsureSuccessStatusCode();
-        }
-        catch (HttpRequestException e)
-        {
-            _logger.LogWarning(e, "Error occurred requesting logout for client {ClientId}", clientId);
-        }
+                var body = new Dictionary<string, string>
+                {
+                    { Parameter.LogoutToken, logoutRequest.LogoutToken }
+                };
+
+                var httpRequestMessage = new HttpRequestMessage(HttpMethod.Post, logoutRequest.LogoutUri)
+                {
+                    Content = new FormUrlEncodedContent(body)
+                };
+
+                try
+                {
+                    var response = await httpClient.SendAsync(httpRequestMessage, innerToken);
+                    response.EnsureSuccessStatusCode();
+                }
+                catch (HttpRequestException e)
+                {
+                    _logger.LogWarning(e, "Error occurred requesting logout for client {ClientId}", logoutRequest.ClientId);
+                }
+            });
     }
+
+    private sealed record LogoutRequest(string ClientId, string LogoutUri, string LogoutToken);
 }

src/AuthServer/Authorization/SecureRequestService.cs

@@ -126,8 +126,6 @@ public AuthorizeRequestDto GetCachedRequest()
     public async Task<AuthorizeRequestDto?> GetRequestByReference(Uri requestUri, string clientId,
         ClientTokenAudience audience, CancellationToken cancellationToken)
     {
-        // TODO implement a Timeout to reduce Denial-Of-Service attacks, where a RequestUri recursively calls Authorize
-        // TODO implement retry delegate handler (5XX and 429)
         var httpClient = _httpClientFactory.CreateClient(HttpClientNameConstants.Client);
         var request = new HttpRequestMessage(HttpMethod.Get, requestUri);
         request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue(MimeTypeConstants.OAuthRequestJwt));

src/AuthServer/Authorize/AuthorizeEndpointModule.cs

@@ -1,5 +1,6 @@
 using AuthServer.Core;
 using AuthServer.Core.Abstractions;
+using AuthServer.Endpoints;
 using AuthServer.Endpoints.Filters;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -15,7 +16,7 @@ public void RegisterEndpoint(IEndpointRouteBuilder endpointRouteBuilder)
         var routeBuilder = endpointRouteBuilder.MapMethods(
             "connect/authorize",
             ["GET", "POST"],
-            (HttpContext httpContext, [FromKeyedServices("Authorize")] IEndpointHandler endpointHandler,
+            (HttpContext httpContext, [FromKeyedServices(EndpointNameConstants.Authorize)] IEndpointHandler endpointHandler,
                 CancellationToken cancellationToken) => endpointHandler.Handle(httpContext, cancellationToken));
 
         routeBuilder

src/AuthServer/EndSession/EndSessionEndpointModule.cs

@@ -1,5 +1,6 @@
 using AuthServer.Core;
 using AuthServer.Core.Abstractions;
+using AuthServer.Endpoints;
 using AuthServer.Endpoints.Filters;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -15,7 +16,7 @@ public void RegisterEndpoint(IEndpointRouteBuilder endpointRouteBuilder)
         var routeBuilder = endpointRouteBuilder.MapMethods(
             "connect/end-session",
             ["GET", "POST"],
-            (HttpContext httpContext, [FromKeyedServices("EndSession")] IEndpointHandler endpointHandler,
+            (HttpContext httpContext, [FromKeyedServices(EndpointNameConstants.EndSession)] IEndpointHandler endpointHandler,
                 CancellationToken cancellationToken) => endpointHandler.Handle(httpContext, cancellationToken));
 
         routeBuilder

src/AuthServer/EndSession/EndSessionRequestProcessor.cs

@@ -98,10 +98,12 @@ public async Task<Unit> Process(EndSessionValidatedRequest request, Cancellation
     private async Task BackchannelLogout(IEnumerable<Client> clients, EndSessionValidatedRequest request,
         CancellationToken cancellationToken)
     {
-        foreach (var client in clients.Where(x => x.BackchannelLogoutUri is not null))
-        {
-            await _clientLogoutService.Logout(client.Id, request.SessionId, request.SubjectIdentifier, cancellationToken);
-        }
+        var clientIds = clients
+            .Where(x => x.BackchannelLogoutUri is not null)
+            .Select(x => x.Id)
+            .ToList();
+
+        await _clientLogoutService.Logout(clientIds, request.SessionId, request.SubjectIdentifier, cancellationToken);
     }
 
     private sealed record SessionQuery(IEnumerable<Client> Clients);

src/AuthServer/Endpoints/EndpointNameConstants.cs

@@ -0,0 +1,15 @@
+namespace AuthServer.Endpoints;
+
+internal static class EndpointNameConstants
+{
+    public const string PushedAuthorization = "PushedAuthorization";
+    public const string Register = "Register";
+    public const string EndSession = "EndSession";
+    public const string Authorize = "Authorize";
+    public const string Userinfo = "Userinfo";
+    public const string Introspection = "Introspection";
+    public const string Revocation = "Revocation";
+    public const string Token = "Token";
+    public const string GrantManagementQuery = "GrantManagementQuery";
+    public const string GrantManagementRevoke = "GrantManagementRevoke";
+}