Merge pull request #217 from DuendeSoftware/joe/dpop-cnf

DuendeSoftware · Oct 3, 2024 · 960fb64 · 960fb64
2 parents ef083f6 + 038594e
commit 960fb64
Show file tree

Hide file tree

Showing 7 changed files with 71 additions and 31 deletions.
diff --git a/IdentityServer/v6/DPoP/Api/DPoP/DPoPExtensions.cs b/IdentityServer/v6/DPoP/Api/DPoP/DPoPExtensions.cs
@@ -57,19 +57,6 @@ public static void SetDPoPNonce(this AuthenticationProperties props, string nonc
         props.Items["DPoP-Nonce"] = nonce;
     }
 
-    /// <summary>
-    /// Create the value of a thumbprint-based cnf claim
-    /// </summary>
-    public static string CreateThumbprintCnf(this JsonWebKey jwk)
-    {
-        var jkt = jwk.CreateThumbprint();
-        var values = new Dictionary<string, string>
-        {
-            { JwtClaimTypes.ConfirmationMethods.JwkThumbprint, jkt }
-        };
-        return JsonSerializer.Serialize(values);
-    }
-
     /// <summary>
     /// Create the value of a thumbprint
     /// </summary>

diff --git a/IdentityServer/v6/DPoP/Api/DPoP/DPoPProofValidatonContext.cs b/IdentityServer/v6/DPoP/Api/DPoP/DPoPProofValidatonContext.cs
@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using System.Linq;
 using System.Security.Claims;
 
 namespace ApiHost;
@@ -29,4 +30,9 @@ public class DPoPProofValidatonContext
     /// The access token
     /// </summary>
     public string AccessToken { get; set; }
+
+    /// <summary>
+    /// The claims associated with the access token. 
+    /// </summary>
+    public IEnumerable<Claim> AccessTokenClaims { get; set; } = Enumerable.Empty<Claim>();
 }
diff --git a/IdentityServer/v6/DPoP/Api/DPoP/DPoPProofValidator.cs b/IdentityServer/v6/DPoP/Api/DPoP/DPoPProofValidator.cs
@@ -102,10 +102,10 @@ public async Task<DPoPProofValidatonResult> ValidateAsync(DPoPProofValidatonCont
     protected virtual Task ValidateHeaderAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
     {
         JsonWebToken token;
+        var handler = new JsonWebTokenHandler();
 
         try
         {
-            var handler = new JsonWebTokenHandler();
             token = handler.ReadJsonWebToken(context.ProofToken);
         }
         catch (Exception ex)
@@ -161,7 +161,33 @@ protected virtual Task ValidateHeaderAsync(DPoPProofValidatonContext context, DP
 
         result.JsonWebKey = jwkJson;
         result.JsonWebKeyThumbprint = jwk.CreateThumbprint();
-        result.Confirmation = jwk.CreateThumbprintCnf();
+
+        var accessToken = handler.ReadJsonWebToken(context.AccessToken);
+        var cnf = accessToken.Claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Confirmation);
+        if (cnf == null)
+        {
+            result.IsError = true;
+            result.ErrorDescription = "Missing 'cnf' value.";
+            return Task.CompletedTask;
+        }
+        var json = JsonSerializer.Deserialize<Dictionary<string, JsonElement>>(cnf.Value);
+        if (json == null)
+        {
+            result.IsError = true;
+            result.ErrorDescription = "Invalid 'cnf' value.";
+            return Task.CompletedTask;
+        } 
+        if (json.TryGetValue(JwtClaimTypes.ConfirmationMethods.JwkThumbprint, out var jktJson))
+        {
+            var accessTokenJkt = jktJson.ToString();
+            if (accessTokenJkt != result.JsonWebKeyThumbprint)
+            {
+                result.IsError = true;
+                result.ErrorDescription = "Invalid 'cnf' value.";
+                return Task.CompletedTask;
+            }
+            result.Confirmation = cnf.Value;
+        }
 
         return Task.CompletedTask;
     }

diff --git a/IdentityServer/v6/DPoP/IdentityServer/IdentityServerHost.csproj b/IdentityServer/v6/DPoP/IdentityServer/IdentityServerHost.csproj
@@ -6,7 +6,7 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Duende.IdentityServer" Version="6.3.0-rc.1" />
+    <PackageReference Include="Duende.IdentityServer" Version="6.3.10" />
     <PackageReference Include="Serilog.AspNetCore" Version="4.1.0" />
   </ItemGroup>
 

diff --git a/IdentityServer/v7/DPoP/Api/DPoP/DPoPExtensions.cs b/IdentityServer/v7/DPoP/Api/DPoP/DPoPExtensions.cs
@@ -55,19 +55,6 @@ public static void SetDPoPNonce(this AuthenticationProperties props, string nonc
         props.Items["DPoP-Nonce"] = nonce;
     }
 
-    /// <summary>
-    /// Create the value of a thumbprint-based cnf claim
-    /// </summary>
-    public static string CreateThumbprintCnf(this JsonWebKey jwk)
-    {
-        var jkt = jwk.CreateThumbprint();
-        var values = new Dictionary<string, string>
-        {
-            { JwtClaimTypes.ConfirmationMethods.JwkThumbprint, jkt }
-        };
-        return JsonSerializer.Serialize(values);
-    }
-
     /// <summary>
     /// Create the value of a thumbprint
     /// </summary>

diff --git a/IdentityServer/v7/DPoP/Api/DPoP/DPoPProofValidatonContext.cs b/IdentityServer/v7/DPoP/Api/DPoP/DPoPProofValidatonContext.cs
@@ -1,3 +1,5 @@
+using System.Security.Claims;
+
 namespace Api;
 
 public class DPoPProofValidatonContext
@@ -26,4 +28,10 @@ public class DPoPProofValidatonContext
     /// The access token
     /// </summary>
     public required string AccessToken { get; set; }
+
+    /// <summary>
+    /// The claims associated with the access token.
+    /// </summary>
+    public IEnumerable<Claim> AccessTokenClaims { get; set; } = Enumerable.Empty<Claim>();
+
 }
diff --git a/IdentityServer/v7/DPoP/Api/DPoP/DPoPProofValidator.cs b/IdentityServer/v7/DPoP/Api/DPoP/DPoPProofValidator.cs
@@ -97,10 +97,10 @@ public async Task<DPoPProofValidatonResult> ValidateAsync(DPoPProofValidatonCont
     protected virtual Task ValidateHeaderAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
     {
         JsonWebToken token;
+        var handler = new JsonWebTokenHandler();
 
         try
         {
-            var handler = new JsonWebTokenHandler();
             token = handler.ReadJsonWebToken(context.ProofToken);
         }
         catch (Exception ex)
@@ -156,7 +156,33 @@ protected virtual Task ValidateHeaderAsync(DPoPProofValidatonContext context, DP
 
         result.JsonWebKey = jwkJson;
         result.JsonWebKeyThumbprint = jwk.CreateThumbprint();
-        result.Confirmation = jwk.CreateThumbprintCnf();
+
+        var accessToken = handler.ReadJsonWebToken(context.AccessToken);
+        var cnf = accessToken.Claims.FirstOrDefault(c => c.Type == JwtClaimTypes.Confirmation);
+        if (cnf == null)
+        {
+            result.IsError = true;
+            result.ErrorDescription = "Missing 'cnf' value.";
+            return Task.CompletedTask;
+        }
+        var json = JsonSerializer.Deserialize<Dictionary<string, JsonElement>>(cnf.Value);
+        if (json == null)
+        {
+            result.IsError = true;
+            result.ErrorDescription = "Invalid 'cnf' value.";
+            return Task.CompletedTask;
+        } 
+        if (json.TryGetValue(JwtClaimTypes.ConfirmationMethods.JwkThumbprint, out var jktJson))
+        {
+            var accessTokenJkt = jktJson.ToString();
+            if (accessTokenJkt != result.JsonWebKeyThumbprint)
+            {
+                result.IsError = true;
+                result.ErrorDescription = "Invalid 'cnf' value.";
+                return Task.CompletedTask;
+            }
+            result.Confirmation = cnf.Value;
+        }
 
         return Task.CompletedTask;
     }