Merge pull request #25 from DuendeSoftware/brock/tests

add simple integration test to exercise some of the dpop client code

src/Duende.AccessTokenManagement.OpenIdConnect/OpenIdConnectClientAccessTokenHandler.cs

@@ -3,6 +3,7 @@
 
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -22,13 +23,15 @@ public class OpenIdConnectClientAccessTokenHandler : AccessTokenHandler
     /// <param name="dPoPProofService"></param>
     /// <param name="dPoPNonceStore"></param>
     /// <param name="httpContextAccessor"></param>
+    /// <param name="logger"></param>
     /// <param name="parameters"></param>
     public OpenIdConnectClientAccessTokenHandler(
         IDPoPProofService dPoPProofService,
         IDPoPNonceStore dPoPNonceStore,
         IHttpContextAccessor httpContextAccessor, 
+        ILogger<OpenIdConnectClientAccessTokenHandler> logger,
         UserTokenRequestParameters? parameters = null)
-        : base(dPoPProofService, dPoPNonceStore)
+        : base(dPoPProofService, dPoPNonceStore, logger)
     {
         _httpContextAccessor = httpContextAccessor;
         _parameters = parameters ?? new UserTokenRequestParameters();

src/Duende.AccessTokenManagement.OpenIdConnect/OpenIdConnectTokenManagementServiceCollectionExtensions.cs

@@ -8,6 +8,7 @@
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Microsoft.Extensions.DependencyInjection;
@@ -143,8 +144,9 @@ public static IHttpClientBuilder AddUserAccessTokenHandler(
             var dpopService = provider.GetRequiredService<IDPoPProofService>();
             var dpopNonceStore = provider.GetRequiredService<IDPoPNonceStore>();
             var contextAccessor = provider.GetRequiredService<IHttpContextAccessor>();
-
-            return new OpenIdConnectUserAccessTokenHandler(dpopService, dpopNonceStore, contextAccessor, parameters);
+            var logger = provider.GetRequiredService<ILogger<OpenIdConnectClientAccessTokenHandler>>();
+            
+            return new OpenIdConnectUserAccessTokenHandler(dpopService, dpopNonceStore, contextAccessor, logger, parameters);
         });
     }
 
@@ -163,8 +165,9 @@ public static IHttpClientBuilder AddClientAccessTokenHandler(
             var dpopService = provider.GetRequiredService<IDPoPProofService>();
             var dpopNonceStore = provider.GetRequiredService<IDPoPNonceStore>();
             var contextAccessor = provider.GetRequiredService<IHttpContextAccessor>();
+            var logger = provider.GetRequiredService<ILogger<OpenIdConnectClientAccessTokenHandler>>();
 
-            return new OpenIdConnectClientAccessTokenHandler(dpopService, dpopNonceStore, contextAccessor, parameters);
+            return new OpenIdConnectClientAccessTokenHandler(dpopService, dpopNonceStore, contextAccessor, logger, parameters);
         });
     }
 }

src/Duende.AccessTokenManagement.OpenIdConnect/OpenIdConnectUserAccessTokenHandler.cs

@@ -3,6 +3,7 @@
 
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -22,13 +23,15 @@ public class OpenIdConnectUserAccessTokenHandler : AccessTokenHandler
     /// <param name="dPoPProofService"></param>
     /// <param name="dPoPNonceStore"></param>
     /// <param name="httpContextAccessor"></param>
+    /// <param name="logger"></param>
     /// <param name="parameters"></param>
     public OpenIdConnectUserAccessTokenHandler(
         IDPoPProofService dPoPProofService,
         IDPoPNonceStore dPoPNonceStore,
         IHttpContextAccessor httpContextAccessor,
+        ILogger<OpenIdConnectClientAccessTokenHandler> logger,
         UserTokenRequestParameters? parameters = null)
-        : base(dPoPProofService, dPoPNonceStore)
+        : base(dPoPProofService, dPoPNonceStore, logger)
     {
         _httpContextAccessor = httpContextAccessor;
         _parameters = parameters ?? new UserTokenRequestParameters();

src/Duende.AccessTokenManagement/AccessTokenHandler.cs

@@ -2,6 +2,7 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 using IdentityModel.Client;
+using Microsoft.Extensions.Logging;
 using System.Net.Http;
 using System.Threading;
 using System.Threading.Tasks;
@@ -16,18 +17,22 @@ public abstract class AccessTokenHandler : DelegatingHandler
 {
     private readonly IDPoPProofService _dPoPProofService;
     private readonly IDPoPNonceStore _dPoPNonceStore;
+    private readonly ILogger _logger;
 
     /// <summary>
     /// ctor
     /// </summary>
     /// <param name="dPoPProofService"></param>
     /// <param name="dPoPNonceStore"></param>
+    /// <param name="logger"></param>
     public AccessTokenHandler(
         IDPoPProofService dPoPProofService,
-        IDPoPNonceStore dPoPNonceStore)
+        IDPoPNonceStore dPoPNonceStore,
+        ILogger logger)
     {
         _dPoPProofService = dPoPProofService;
         _dPoPNonceStore = dPoPNonceStore;
+        _logger = logger;
     }
 
     /// <summary>
@@ -52,7 +57,11 @@ protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage
             response.Dispose();
 
             // if it's a DPoP nonce error, we don't need to obtain a new access token
-            var force = response.IsDPoPNonceError();
+            var force = !response.IsDPoPNonceError();
+            if (!force && !string.IsNullOrEmpty(dPoPNonce))
+            {
+                _logger.LogDebug("DPoP nonce error invoking endpoint: {url}, retrying using new nonce", request.RequestUri?.AbsoluteUri.ToString());
+            }
 
             await SetTokenAsync(request, forceRenewal: force, cancellationToken, dPoPNonce).ConfigureAwait(false);
             return await base.SendAsync(request, cancellationToken).ConfigureAwait(false);
@@ -79,6 +88,8 @@ protected virtual async Task SetTokenAsync(HttpRequestMessage request, bool forc
 
         if (!string.IsNullOrWhiteSpace(token?.AccessToken))
         {
+            _logger.LogDebug("Sending access token in request to endpoint: {url}", request.RequestUri?.AbsoluteUri.ToString());
+
             var scheme = token.AccessTokenType ?? AuthenticationSchemes.AuthorizationHeaderBearer;
 
             if (!string.IsNullOrWhiteSpace(token.DPoPJsonWebKey))
@@ -119,9 +130,15 @@ protected virtual async Task<bool> SetDPoPProofTokenAsync(HttpRequestMessage req
 
             if (proofToken != null)
             {
+                _logger.LogDebug("Sending DPoP proof token in request to endpoint: {url}", request.RequestUri?.AbsoluteUri.ToString());
+
                 request.SetDPoPProofToken(proofToken.ProofToken);
                 return true;
             }
+            else
+            {
+                _logger.LogDebug("No DPoP proof token in request to endpoint: {url}", request.RequestUri?.AbsoluteUri.ToString());
+            }
         }
 
         return false;

src/Duende.AccessTokenManagement/ClientCredentialsTokenEndpointService.cs

@@ -117,6 +117,8 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
         var key = await _dPoPKeyMaterialService.GetKeyAsync(clientName);
         if (key != null)
         {
+            _logger.LogDebug("Creating DPoP proof token for token request.");
+
             var proof = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest
             {
                 Url = request.Address!,
@@ -145,6 +147,8 @@ public virtual async Task<ClientCredentialsToken> RequestToken(
 
         if (response.IsError && response.Error == OidcConstants.TokenErrors.UseDPoPNonce && key != null && response.DPoPNonce != null)
         {
+            _logger.LogDebug("Token request failed with DPoP nonce error. Retrying with new nonce.");
+
             var proof = await _dPoPProofService.CreateProofTokenAsync(new DPoPProofRequest
             {
                 Url = request.Address!,

src/Duende.AccessTokenManagement/ClientCredentialsTokenHandler.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
+using Microsoft.Extensions.Logging;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -20,13 +21,15 @@ public class ClientCredentialsTokenHandler : AccessTokenHandler
     /// <param name="dPoPProofService"></param>
     /// <param name="dPoPNonceStore"></param>
     /// <param name="accessTokenManagementService">The Access Token Management Service</param>
+    /// <param name="logger"></param>
     /// <param name="tokenClientName">The name of the token client configuration</param>
     public ClientCredentialsTokenHandler(
         IDPoPProofService dPoPProofService,
         IDPoPNonceStore dPoPNonceStore,
         IClientCredentialsTokenManagementService accessTokenManagementService,
+        ILogger<ClientCredentialsTokenHandler> logger,
         string tokenClientName) 
-        : base(dPoPProofService, dPoPNonceStore)
+        : base(dPoPProofService, dPoPNonceStore, logger)
     {
         _accessTokenManagementService = accessTokenManagementService;
         _tokenClientName = tokenClientName;

src/Duende.AccessTokenManagement/ClientCredentialsTokenManagementServiceCollectionExtensions.cs

@@ -5,6 +5,7 @@
 using System.Net.Http;
 using Duende.AccessTokenManagement;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
 
 namespace Microsoft.Extensions.DependencyInjection;
 
@@ -138,8 +139,9 @@ public static IHttpClientBuilder AddClientCredentialsTokenHandler(
             var dpopService = provider.GetRequiredService<IDPoPProofService>();
             var dpopNonceStore = provider.GetRequiredService<IDPoPNonceStore>();
             var accessTokenManagementService = provider.GetRequiredService<IClientCredentialsTokenManagementService>();
+            var logger = provider.GetRequiredService<ILogger<ClientCredentialsTokenHandler>>();
 
-            return new ClientCredentialsTokenHandler(dpopService, dpopNonceStore, accessTokenManagementService, tokenClientName);
+            return new ClientCredentialsTokenHandler(dpopService, dpopNonceStore, accessTokenManagementService, logger, tokenClientName);
         });
     }
 }

src/Duende.AccessTokenManagement/DPoPExtensions.cs

@@ -59,7 +59,7 @@ public static bool IsDPoPNonceError(this HttpResponseMessage response)
                     var parts = x.Split('=', StringSplitOptions.RemoveEmptyEntries);
                     if (parts.Length == 2 && parts[0] == OidcConstants.TokenResponse.Error)
                     {
-                        return parts[1];
+                        return parts[1].Trim('"');
                     }
                     return null;
                 }).Where(x => x != null).FirstOrDefault();