Merge remote-tracking branch 'origin/dev' into pmaytak/1pjwt

CHANGELOG.md

@@ -5,7 +5,7 @@ See the [releases](https://github.com/AzureAD/azure-activedirectory-identitymode
 ### Breaking changes:
 - IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue [#2544](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2544) for details.
 - Two IdentityModel extension dlls `Microsoft.IdentityModel.KeyVaultExtensions` and `Microsoft.IdentityModel.ManagedKeyVaultSecurityKey` were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web/wiki/Certificates). See issue [#2454](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2454) for details.
-- `AppContext.SetSwitch` which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue [#2629](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2629) for details.
+- `AppContext.SetSwitch` which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue [#2629](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2629) and https://aka.ms/IdentityModel8x for details.
 
 7.6.1
 =====
@@ -17,7 +17,6 @@ See the [releases](https://github.com/AzureAD/azure-activedirectory-identitymode
 - `JwtRegisteredClaimNames` now contains previously missing Standard OpenIdConnect claims. See issue [#1598](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1598) for details.
 
 ### Performance Improvements:
-- Reduced allocations in `AadIssuerValidator` by not using `string.Replace` where appropriate. See issue [#2595](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2595) and PR [#2597](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/2597) for more details.
 - No longer for every string claim, calling DateTime.TryParse on each value, whether it is expected to be a DateTime or not. See issue [#2615](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2615) for details.
 
 7.6.0

src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Configuration/OpenIdConnectConfiguration.cs

@@ -23,6 +23,9 @@ public class OpenIdConnectConfiguration : BaseConfiguration
         // these are used to lazy create
         private Dictionary<string, object> _additionalData;
         private ICollection<string> _acrValuesSupported;
+        private ICollection<string> _authorizationEncryptionAlgValuesSupported;
+        private ICollection<string> _authorizationEncryptionEncValuesSupported;
+        private ICollection<string> _authorizationSigningAlgValuesSupported;
         private ICollection<string> _backchannelAuthenticationRequestSigningAlgValuesSupported;
         private ICollection<string> _backchannelTokenDeliveryModesSupported;
         private ICollection<string> _claimsSupported;
@@ -146,6 +149,24 @@ public OpenIdConnectConfiguration(string json)
 #endif
         public string AuthorizationEndpoint { get; set; }
 
+        /// <summary>
+        /// Gets the collection of 'authorization_encryption_alg_values_supported'
+        /// </summary>
+        [JsonPropertyName(OpenIdProviderMetadataNames.AuthorizationEncryptionAlgValuesSupported)]
+        public ICollection<string> AuthorizationEncryptionAlgValuesSupported =>
+            _authorizationEncryptionAlgValuesSupported ??
+            Interlocked.CompareExchange(ref _authorizationEncryptionAlgValuesSupported, new Collection<string>(), null) ??
+            _authorizationEncryptionAlgValuesSupported;
+
+        /// <summary>
+        /// Gets the collection of 'authorization_encryption_enc_values_supported'
+        /// </summary>
+        [JsonPropertyName(OpenIdProviderMetadataNames.AuthorizationEncryptionEncValuesSupported)]
+        public ICollection<string> AuthorizationEncryptionEncValuesSupported =>
+            _authorizationEncryptionEncValuesSupported ??
+            Interlocked.CompareExchange(ref _authorizationEncryptionEncValuesSupported, new Collection<string>(), null) ??
+            _authorizationEncryptionEncValuesSupported;
+
         /// <summary>
         /// Gets or sets the 'authorization_response_iss_parameter_supported'
         /// </summary>
@@ -155,6 +176,15 @@ public OpenIdConnectConfiguration(string json)
 #endif
         public bool AuthorizationResponseIssParameterSupported { get; set; }
 
+        /// <summary>
+        /// Gets the collection of 'authorization_signing_alg_values_supported'
+        /// </summary>
+        [JsonPropertyName(OpenIdProviderMetadataNames.AuthorizationSigningAlgValuesSupported)]
+        public ICollection<string> AuthorizationSigningAlgValuesSupported =>
+            _authorizationSigningAlgValuesSupported ??
+            Interlocked.CompareExchange(ref _authorizationSigningAlgValuesSupported, new Collection<string>(), null) ??
+            _authorizationSigningAlgValuesSupported;
+
         /// <summary>
         /// Gets or sets the 'backchannel_authentication_endpoint'.
         /// </summary>
@@ -622,6 +652,15 @@ public OpenIdConnectConfiguration(string json)
             Interlocked.CompareExchange(ref _tokenEndpointAuthSigningAlgValuesSupported, new Collection<string>(), null) ??
             _tokenEndpointAuthSigningAlgValuesSupported;
 
+        /// <summary>
+        /// Gets or sets the 'tls_client_certificate_bound_access_tokens'
+        /// </summary>
+        [JsonPropertyName(OpenIdProviderMetadataNames.TlsClientCertificateBoundAccessTokens)]
+#if NET6_0_OR_GREATER
+        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingDefault)]
+#endif
+        public bool TlsClientCertificateBoundAccessTokens { get; set; }
+
         /// <summary>
         /// Gets the collection of 'ui_locales_supported'
         /// </summary>
@@ -681,6 +720,39 @@ public bool ShouldSerializeAcrValuesSupported()
             return AcrValuesSupported.Count > 0;
         }
 
+        /// <summary>
+        /// Gets a bool that determines if the 'authorization_encryption_alg_values_supported' (AuthorizationEncryptionAlgValuesSupported) property should be serialized.
+        /// This is used by Json.NET in order to conditionally serialize properties.
+        /// </summary>
+        /// <return>true if 'authorization_encryption_alg_values_supported' (AuthorizationEncryptionAlgValuesSupported) is not empty; otherwise, false.</return>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public bool ShouldSerializeAuthorizationEncryptionAlgValuesSupported()
+        {
+            return AuthorizationEncryptionAlgValuesSupported.Count > 0;
+        }
+
+        /// <summary>
+        /// Gets a bool that determines if the 'authorization_encryption_enc_values_supported' (AuthorizationEncryptionEncValuesSupported) property should be serialized.
+        /// This is used by Json.NET in order to conditionally serialize properties.
+        /// </summary>
+        /// <return>true if 'authorization_encryption_enc_values_supported' (AuthorizationEncryptionEncValuesSupported) is not empty; otherwise, false.</return>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public bool ShouldSerializeAuthorizationEncryptionEncValuesSupported()
+        {
+            return AuthorizationEncryptionEncValuesSupported.Count > 0;
+        }
+
+        /// <summary>
+        /// Gets a bool that determines if the 'authorization_signing_alg_values_supported' (AuthorizationSigningAlgValuesSupported) property should be serialized.
+        /// This is used by Json.NET in order to conditionally serialize properties.
+        /// </summary>
+        /// <return>true if 'authorization_signing_alg_values_supported' (AuthorizationSigningAlgValuesSupported) is not empty; otherwise, false.</return>
+        [EditorBrowsable(EditorBrowsableState.Never)]
+        public bool ShouldSerializeAuthorizationSigningAlgValuesSupported()
+        {
+            return AuthorizationSigningAlgValuesSupported.Count > 0;
+        }
+
         /// <summary>
         /// Gets a bool that determines if the 'backchannel_token_delivery_modes_supported' (BackchannelTokenDeliveryModesSupported) property should be serialized.
         /// This is used by Json.NET in order to conditionally serialize properties.

src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Json/OpenIdConnectConfigurationSerializer.cs

@@ -39,7 +39,10 @@ public static readonly
         {
             "ACR_VALUES_SUPPORTED",
             "AUTHORIZATION_ENDPOINT",
+            "AUTHORIZATION_ENCRYPTION_ALG_VALUES_SUPPORTED",
+            "AUTHORIZATION_ENCRYPTION_ENC_VALUES_SUPPORTED",
             "AUTHORIZATION_RESPONSE_ISS_PARAMETER_SUPPORTED",
+            "AUTHORIZATION_SIGNING_ALG_VALUES_SUPPORTED",
             "BACKCHANNEL_AUTHENTICATION_ENDPOINT",
             "BACKCHANNEL_AUTHENTICATION_REQUEST_SIGNING_ALG_VALUES_SUPPORTED",
             "BACKCHANNEL_TOKEN_DELIVERY_MODES_SUPPORTED",
@@ -91,6 +94,7 @@ public static readonly
             "TOKEN_ENDPOINT",
             "TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED",
             "TOKEN_ENDPOINT_AUTH_SIGNING_ALG_VALUES_SUPPORTED",
+            "TLS_CLIENT_CERTIFICATE_BOUND_ACCESS_TOKENS",
             "UI_LOCALES_SUPPORTED",
             "USERINFO_ENDPOINT",
             "USERINFO_ENCRYPTION_ALG_VALUES_SUPPORTED",
@@ -162,9 +166,18 @@ public static OpenIdConnectConfiguration Read(ref Utf8JsonReader reader, OpenIdC
                     else if (reader.ValueTextEquals(Utf8Bytes.AuthorizationEndpoint))
                         config.AuthorizationEndpoint = JsonPrimitives.ReadString(ref reader, MetadataName.AuthorizationEndpoint, ClassName, true);
 
+                    else if (reader.ValueTextEquals(Utf8Bytes.AuthorizationEncryptionAlgValuesSupported))
+                        JsonPrimitives.ReadStrings(ref reader, config.AuthorizationEncryptionAlgValuesSupported, MetadataName.AuthorizationEncryptionAlgValuesSupported, ClassName, true);
+
+                    else if (reader.ValueTextEquals(Utf8Bytes.AuthorizationEncryptionEncValuesSupported))
+                        JsonPrimitives.ReadStrings(ref reader, config.AuthorizationEncryptionEncValuesSupported, MetadataName.AuthorizationEncryptionEncValuesSupported, ClassName, true);
+
                     else if (reader.ValueTextEquals(Utf8Bytes.AuthorizationResponseIssParameterSupported))
                         config.AuthorizationResponseIssParameterSupported = JsonPrimitives.ReadBoolean(ref reader, MetadataName.AuthorizationResponseIssParameterSupported, ClassName, true);
 
+                    else if (reader.ValueTextEquals(Utf8Bytes.AuthorizationSigningAlgValuesSupported))
+                        JsonPrimitives.ReadStrings(ref reader, config.AuthorizationSigningAlgValuesSupported, MetadataName.AuthorizationSigningAlgValuesSupported, ClassName, true);
+
                     else if (reader.ValueTextEquals(Utf8Bytes.BackchannelAuthenticationEndpoint))
                         config.BackchannelAuthenticationEndpoint = JsonPrimitives.ReadString(ref reader, MetadataName.BackchannelAuthenticationEndpoint, ClassName, true);
 
@@ -328,6 +341,9 @@ public static OpenIdConnectConfiguration Read(ref Utf8JsonReader reader, OpenIdC
                     else if (reader.ValueTextEquals(Utf8Bytes.TokenEndpointAuthSigningAlgValuesSupported))
                         JsonPrimitives.ReadStrings(ref reader, config.TokenEndpointAuthSigningAlgValuesSupported, MetadataName.TokenEndpointAuthSigningAlgValuesSupported, ClassName, true);
 
+                    else if (reader.ValueTextEquals(Utf8Bytes.TlsClientCertificateBoundAccessTokens))
+                        config.TlsClientCertificateBoundAccessTokens = JsonPrimitives.ReadBoolean(ref reader, MetadataName.TlsClientCertificateBoundAccessTokens, ClassName, true);
+
                     else if (reader.ValueTextEquals(Utf8Bytes.UILocalesSupported))
                         JsonPrimitives.ReadStrings(ref reader, config.UILocalesSupported, MetadataName.UILocalesSupported, ClassName, true);
 
@@ -366,9 +382,18 @@ public static OpenIdConnectConfiguration Read(ref Utf8JsonReader reader, OpenIdC
                             else if (propertyName.Equals(MetadataName.AuthorizationEndpoint, StringComparison.OrdinalIgnoreCase))
                                 config.AuthorizationEndpoint = JsonPrimitives.ReadString(ref reader, propertyName, ClassName);
 
+                            else if (propertyName.Equals(MetadataName.AuthorizationEncryptionAlgValuesSupported, StringComparison.OrdinalIgnoreCase))
+                                JsonPrimitives.ReadStrings(ref reader, config.AuthorizationEncryptionAlgValuesSupported, propertyName, ClassName);
+
+                            else if (propertyName.Equals(MetadataName.AuthorizationEncryptionEncValuesSupported, StringComparison.OrdinalIgnoreCase))
+                                JsonPrimitives.ReadStrings(ref reader, config.AuthorizationEncryptionEncValuesSupported, propertyName, ClassName);
+
                             else if (propertyName.Equals(MetadataName.AuthorizationResponseIssParameterSupported, StringComparison.OrdinalIgnoreCase))
                                 config.AuthorizationResponseIssParameterSupported = JsonPrimitives.ReadBoolean(ref reader, propertyName, ClassName);
 
+                            else if (propertyName.Equals(MetadataName.AuthorizationSigningAlgValuesSupported, StringComparison.OrdinalIgnoreCase))
+                                JsonPrimitives.ReadStrings(ref reader, config.AuthorizationSigningAlgValuesSupported, propertyName, ClassName);
+
                             else if (propertyName.Equals(MetadataName.BackchannelAuthenticationEndpoint, StringComparison.OrdinalIgnoreCase))
                                 config.BackchannelAuthenticationEndpoint = JsonPrimitives.ReadString(ref reader, propertyName, ClassName);
 
@@ -533,6 +558,9 @@ public static OpenIdConnectConfiguration Read(ref Utf8JsonReader reader, OpenIdC
                             else if (propertyName.Equals(MetadataName.TokenEndpointAuthSigningAlgValuesSupported, StringComparison.OrdinalIgnoreCase))
                                 JsonPrimitives.ReadStrings(ref reader, config.TokenEndpointAuthSigningAlgValuesSupported, propertyName, ClassName);
 
+                            else if (propertyName.Equals(MetadataName.TlsClientCertificateBoundAccessTokens, StringComparison.OrdinalIgnoreCase))
+                                config.TlsClientCertificateBoundAccessTokens = JsonPrimitives.ReadBoolean(ref reader, propertyName, ClassName);
+
                             else if (propertyName.Equals(MetadataName.UILocalesSupported, StringComparison.OrdinalIgnoreCase))
                                 JsonPrimitives.ReadStrings(ref reader, config.UILocalesSupported, propertyName, ClassName);
 
@@ -592,9 +620,18 @@ public static void Write(ref Utf8JsonWriter writer, OpenIdConnectConfiguration c
             if (!string.IsNullOrEmpty(config.AuthorizationEndpoint))
                 writer.WriteString(Utf8Bytes.AuthorizationEndpoint, config.AuthorizationEndpoint);
 
+            if (config.AuthorizationEncryptionAlgValuesSupported.Count > 0)
+                JsonPrimitives.WriteStrings(ref writer, Utf8Bytes.AuthorizationEncryptionAlgValuesSupported, config.AuthorizationEncryptionAlgValuesSupported);
+
+            if (config.AuthorizationEncryptionEncValuesSupported.Count > 0)
+                JsonPrimitives.WriteStrings(ref writer, Utf8Bytes.AuthorizationEncryptionEncValuesSupported, config.AuthorizationEncryptionEncValuesSupported);
+
             if (config.AuthorizationResponseIssParameterSupported)
                 writer.WriteBoolean(Utf8Bytes.AuthorizationResponseIssParameterSupported, config.AuthorizationResponseIssParameterSupported);
 
+            if (config.AuthorizationSigningAlgValuesSupported.Count > 0)
+                JsonPrimitives.WriteStrings(ref writer, Utf8Bytes.AuthorizationSigningAlgValuesSupported, config.AuthorizationSigningAlgValuesSupported);
+
             if (!string.IsNullOrEmpty(config.BackchannelAuthenticationEndpoint))
                 writer.WriteString(Utf8Bytes.BackchannelAuthenticationEndpoint, config.BackchannelAuthenticationEndpoint);
 
@@ -745,6 +782,9 @@ public static void Write(ref Utf8JsonWriter writer, OpenIdConnectConfiguration c
             if (config.TokenEndpointAuthSigningAlgValuesSupported.Count > 0)
                 JsonPrimitives.WriteStrings(ref writer, Utf8Bytes.TokenEndpointAuthSigningAlgValuesSupported, config.TokenEndpointAuthSigningAlgValuesSupported);
 
+            if (config.TlsClientCertificateBoundAccessTokens)
+                writer.WriteBoolean(Utf8Bytes.TlsClientCertificateBoundAccessTokens, config.TlsClientCertificateBoundAccessTokens);
+
             if (config.UILocalesSupported.Count > 0)
                 JsonPrimitives.WriteStrings(ref writer, Utf8Bytes.UILocalesSupported, config.UILocalesSupported);
 

src/Microsoft.IdentityModel.Protocols.OpenIdConnect/OpenIdConnectScope.cs

@@ -37,10 +37,15 @@ public static class OpenIdConnectScope
         public const string OpenIdProfile = "openid profile";
 
         /// <summary>
-        /// Indicates <c>phone</c> profile scope see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.
+        /// Indicates <c>phone</c> scope see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.
         /// </summary>
         public const string Phone = "phone";
 
+        /// <summary>
+        /// Indicates <c>profile</c> scope see: https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims.
+        /// </summary>
+        public const string Profile = "profile";
+
         /// <summary>
         /// Indicates <c>user_impersonation</c> scope for Azure Active Directory.
         /// </summary>