add client assertion update callback event (DuendeArchive#122)

* add client assertion update callback event

* change assertion type in tests

* cleanup

* Now => UtcNow

* Remove static ClientAssertion configuration

* Cleanup

Co-authored-by: Andrey Chayka <achayka@ptsecurity.ru>

Author: ubik

src/Context/UpdateClientAssertionContext.cs

@@ -0,0 +1,35 @@
+// Copyright (c) Dominick Baier & Brock Allen. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using System;
+using IdentityModel.Client;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+
+namespace IdentityModel.AspNetCore.OAuth2Introspection
+{
+    /// <summary>
+    /// Context for the UpdateClientAssertion event
+    /// </summary>
+    public class UpdateClientAssertionContext : ResultContext<OAuth2IntrospectionOptions>
+    {
+        /// <summary>
+        /// ctor
+        /// </summary>
+        public UpdateClientAssertionContext(
+            HttpContext context,
+            AuthenticationScheme scheme,
+            OAuth2IntrospectionOptions options)
+            : base(context, scheme, options) { }
+
+        /// <summary>
+        /// The client assertion
+        /// </summary>
+        public ClientAssertion ClientAssertion { get; set; }
+
+        /// <summary>
+        /// The client assertion expiration time
+        /// </summary>
+        public DateTime ClientAssertionExpirationTime { get; set; }
+    }
+}

src/OAuth2IntrospectionEvents.cs

@@ -21,6 +21,11 @@ public class OAuth2IntrospectionEvents
         /// </summary>
         public Func<TokenValidatedContext, Task> OnTokenValidated { get; set; } = context => Task.CompletedTask;
 
+        /// <summary>
+        /// Invoked when client assertion need to be updated.
+        /// </summary>
+        public Func<UpdateClientAssertionContext, Task> OnUpdateClientAssertion { get; set; } = context => Task.CompletedTask;
+
         /// <summary>
         /// Invoked if exceptions are thrown during request processing. The exceptions will be re-thrown after this event unless suppressed.
         /// </summary>
@@ -30,5 +35,10 @@ public class OAuth2IntrospectionEvents
         /// Invoked after the security token has passed validation and a ClaimsIdentity has been generated.
         /// </summary>
         public virtual Task TokenValidated(TokenValidatedContext context) => OnTokenValidated(context);
+
+        /// <summary>
+        /// Invoked when client assertion need to be updated.
+        /// </summary>
+        public virtual Task UpdateClientAssertion(UpdateClientAssertionContext context) => OnUpdateClientAssertion(context);
     }
 }

src/OAuth2IntrospectionHandler.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Dominick Baier & Brock Allen. All rights reserved.
+// Copyright (c) Dominick Baier & Brock Allen. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using System;
@@ -110,7 +110,7 @@ protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
             {
                 Lazy<Task<TokenIntrospectionResponse>> GetTokenIntrospectionResponseLazy(string _)
                 {
-                    return new Lazy<Task<TokenIntrospectionResponse>>(async () => await LoadClaimsForToken(token, Options));
+                    return new Lazy<Task<TokenIntrospectionResponse>>(async () => await LoadClaimsForToken(token, Context, Scheme, Events, Options));
                 }
 
                 var response = await IntrospectionDictionary
@@ -175,10 +175,56 @@ private static async Task<AuthenticateResult> ReportNonSuccessAndReturn(
             return AuthenticateResult.Fail(error);
         }
 
-        private static async Task<TokenIntrospectionResponse> LoadClaimsForToken(string token, OAuth2IntrospectionOptions options)
+        private static async Task<TokenIntrospectionResponse> LoadClaimsForToken(
+	        string token, 
+	        HttpContext context, 
+	        AuthenticationScheme scheme, 
+	        OAuth2IntrospectionEvents events, 
+	        OAuth2IntrospectionOptions options)
         {
             var introspectionClient = await options.IntrospectionClient.Value.ConfigureAwait(false);
-            return await introspectionClient.Introspect(token, options.TokenTypeHint).ConfigureAwait(false);
+            using var request = CreateTokenIntrospectionRequest(token, context, scheme, events, options);
+            return await introspectionClient.IntrospectTokenAsync(request).ConfigureAwait(false);
+        }
+
+        private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(
+	        string token,
+	        HttpContext context,
+	        AuthenticationScheme scheme,
+	        OAuth2IntrospectionEvents events,
+            OAuth2IntrospectionOptions options)
+        {
+            if (options.ClientSecret == null && options.ClientAssertionExpirationTime <= DateTime.UtcNow)
+            {
+                lock (options.AssertionUpdateLockObj)
+                {
+                    if (options.ClientAssertionExpirationTime <= DateTime.UtcNow)
+                    {
+                        var updateClientAssertionContext = new UpdateClientAssertionContext(context, scheme, options)
+                        {
+                            ClientAssertion = options.ClientAssertion ?? new ClientAssertion()
+                        };
+
+                        events.UpdateClientAssertion(updateClientAssertionContext);
+
+                        options.ClientAssertion = updateClientAssertionContext.ClientAssertion;
+                        options.ClientAssertionExpirationTime =
+                            updateClientAssertionContext.ClientAssertionExpirationTime;
+                    }
+                }
+            }
+
+            return new TokenIntrospectionRequest
+            {
+                Token = token,
+                TokenTypeHint = options.TokenTypeHint,
+                Address = options.IntrospectionEndpoint,
+                ClientId = options.ClientId,
+                ClientSecret = options.ClientSecret,
+                ClientAssertion = options.ClientAssertion ?? new ClientAssertion(),
+                ClientCredentialStyle = options.ClientCredentialStyle,
+                AuthorizationHeaderStyle = options.AuthorizationHeaderStyle,
+            };
         }
 
         private static async Task<AuthenticateResult> CreateTicket(

src/OAuth2IntrospectionOptions.cs

@@ -1,11 +1,12 @@
-// Copyright (c) Dominick Baier & Brock Allen. All rights reserved.
+// Copyright (c) Dominick Baier & Brock Allen. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using IdentityModel.AspNetCore.OAuth2Introspection.Infrastructure;
 using IdentityModel.Client;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using System;
+using System.Net.Http;
 
 namespace IdentityModel.AspNetCore.OAuth2Introspection
 {
@@ -44,10 +45,11 @@ public OAuth2IntrospectionOptions()
         /// </summary>
         public string ClientSecret { get; set; }
 
-        /// <summary>
-        /// Specifies the the client assertion to be used (optional replacement of simple client secret)
-        /// </summary>
-        public ClientAssertion ClientAssertion { get; set; } = new ClientAssertion();
+        internal object AssertionUpdateLockObj = new object();
+
+        internal ClientAssertion ClientAssertion { get; set; }
+
+        internal DateTime ClientAssertionExpirationTime { get; set; }
 
         /// <summary>
         /// Specifies how client id and secret are being sent
@@ -125,7 +127,7 @@ public OAuth2IntrospectionOptions()
             set { base.Events = value; }
         }
 
-        internal AsyncLazy<IntrospectionClient> IntrospectionClient { get; set; }
+        internal AsyncLazy<HttpClient> IntrospectionClient { get; set; }
 
         /// <summary>
         /// Check that the options are valid. Should throw an exception if things are not ok.

src/PostConfigureOAuth2IntrospectionOptions.cs

@@ -31,34 +31,17 @@ public void PostConfigure(string name, OAuth2IntrospectionOptions options)
                 throw new ArgumentException("Caching is enabled, but no IDistributedCache is found in the services collection", nameof(_cache));
             }
 
-            options.IntrospectionClient = new AsyncLazy<IntrospectionClient>(() => InitializeIntrospectionClient(options));
+            options.IntrospectionClient = new AsyncLazy<HttpClient>(() => InitializeIntrospectionClient(options));
         }
 
-        private async Task<IntrospectionClient> InitializeIntrospectionClient(OAuth2IntrospectionOptions options)
+        private async Task<HttpClient> InitializeIntrospectionClient(OAuth2IntrospectionOptions options)
         {
-            string endpoint;
-
-            if (options.IntrospectionEndpoint.IsPresent())
-            {
-                endpoint = options.IntrospectionEndpoint;
-            }
-            else
+            if (!options.IntrospectionEndpoint.IsPresent())
             {
-                endpoint = await GetIntrospectionEndpointFromDiscoveryDocument(options).ConfigureAwait(false);
-                options.IntrospectionEndpoint = endpoint;
+                options.IntrospectionEndpoint = await GetIntrospectionEndpointFromDiscoveryDocument(options).ConfigureAwait(false);
             }
 
-            HttpMessageInvoker clientFunc() => _httpClientFactory.CreateClient(OAuth2IntrospectionDefaults.BackChannelHttpClientName);
-
-            return new IntrospectionClient(clientFunc, new IntrospectionClientOptions
-            {
-                Address = endpoint,
-                ClientId = options.ClientId,
-                ClientSecret = options.ClientSecret,
-                ClientAssertion = options.ClientAssertion ?? new ClientAssertion(),
-                ClientCredentialStyle = options.ClientCredentialStyle,
-                AuthorizationHeaderStyle = options.AuthorizationHeaderStyle
-            });
+            return _httpClientFactory.CreateClient(OAuth2IntrospectionDefaults.BackChannelHttpClientName);
         }
 
         private async Task<string> GetIntrospectionEndpointFromDiscoveryDocument(OAuth2IntrospectionOptions options)

test/Tests/Introspection.cs

@@ -20,13 +20,17 @@ namespace Tests
 {
     public class Introspection
     {
+
+        private static readonly string clientId = "client";
+        private static readonly string clientSecret = "secret";
+
         readonly Action<OAuth2IntrospectionOptions> _options = (o) =>
         {
             o.Authority = "https://authority.com";
             o.DiscoveryPolicy.RequireKeySet = false;
 
-            o.ClientId = "scope";
-            o.ClientSecret = "secret";
+            o.ClientId = clientId;
+            o.ClientSecret = clientSecret;
         };
 
         [Fact]
@@ -46,11 +50,61 @@ public async Task ActiveToken()
         {
             var handler = new IntrospectionEndpointHandler(IntrospectionEndpointHandler.Behavior.Active);
 
-            var client = PipelineFactory.CreateClient((o) => _options(o), handler);
+            var client = PipelineFactory.CreateClient(_options, handler);
+            client.SetBearerToken("sometoken");
+
+            var result = await client.GetAsync("http://test");
+            result.StatusCode.Should().Be(HttpStatusCode.OK);
+
+            var request = handler.LastRequest;
+            request.Should().ContainKey("client_id").WhichValue.Should().Be(clientId);
+            request.Should().ContainKey("client_secret").WhichValue.Should().Be(clientSecret);
+        }
+
+        [Theory]
+        [InlineData(5000, "testAssertion1", "testAssertion1")]
+        [InlineData(-5000, "testAssertion1", "testAssertion2")]
+        public async Task ActiveToken_With_ClientAssertion(int ttl, string assertion1, string assertion2)
+        {
+            var handler = new IntrospectionEndpointHandler(IntrospectionEndpointHandler.Behavior.Active);
+            var count = 0;
+
+            var client = PipelineFactory.CreateClient((o) =>
+            {
+                _options(o);
+                o.ClientSecret = null;
+
+                o.Events.OnUpdateClientAssertion = e =>
+                {
+                    count++;
+                    e.ClientAssertion = new ClientAssertion
+                    {
+                        Type = "testType",
+                        Value = "testAssertion" + count
+                    };
+                    e.ClientAssertionExpirationTime = DateTime.UtcNow.AddMilliseconds(ttl);
+
+                    return Task.CompletedTask;
+                };
+            }, handler);
+
             client.SetBearerToken("sometoken");
 
             var result = await client.GetAsync("http://test");
             result.StatusCode.Should().Be(HttpStatusCode.OK);
+
+            var request = handler.LastRequest;
+            request.Should().ContainKey("client_id").WhichValue.Should().Be(clientId);
+            request.Should().ContainKey("client_assertion_type").WhichValue.Should().Be("testType");
+            request.Should().ContainKey("client_assertion").WhichValue.Should().Be(assertion1);
+
+            result = await client.GetAsync("http://test");
+            result.StatusCode.Should().Be(HttpStatusCode.OK);
+
+            request = handler.LastRequest;
+            request.Should().ContainKey("client_id").WhichValue.Should().Be(clientId);
+            request.Should().ContainKey("client_assertion_type").WhichValue.Should().Be("testType");
+            request.Should().ContainKey("client_assertion").WhichValue.Should().Be(assertion2);
         }
 
         [Fact]