Updated token validator to handle case of mtls client auth and dpop

Author: bhazen

identity-server/src/IdentityServer/Validation/Default/TokenRequestValidator.cs

@@ -40,6 +40,7 @@ internal class TokenRequestValidator : ITokenRequestValidator
     private readonly LicenseUsageTracker _licenseUsage;
     private readonly ClientLoadedTracker _clientLoadedTracker;
     private readonly ResourceLoadedTracker _resourceLoadedTracker;
+    private readonly IMtlsEndpointGenerator _mtlsEndpointGenerator;
     private readonly ILogger _logger;
 
     private ValidatedTokenRequest _validatedRequest;
@@ -64,6 +65,7 @@ public TokenRequestValidator(
         LicenseUsageTracker licenseUsage,
         ClientLoadedTracker clientLoadedTracker,
         ResourceLoadedTracker resourceLoadedTracker,
+        IMtlsEndpointGenerator mtlsEndpointGenerator,
         ILogger<TokenRequestValidator> logger)
     {
         _logger = logger;
@@ -86,6 +88,7 @@ public TokenRequestValidator(
         _events = events;
         _clientLoadedTracker = clientLoadedTracker;
         _resourceLoadedTracker = resourceLoadedTracker;
+        _mtlsEndpointGenerator = mtlsEndpointGenerator;
     }
 
     // only here for legacy unit tests
@@ -248,7 +251,7 @@ private async Task<TokenRequestValidationResult> ValidateProofToken(TokenRequest
                 return Invalid(OidcConstants.TokenErrors.InvalidDPoPProof);
             }
 
-            var tokenUrl = _serverUrls.BaseUrl.EnsureTrailingSlash() + ProtocolRoutePaths.Token;
+            var tokenUrl = context.ClientCertificate == null ? _serverUrls.BaseUrl.EnsureTrailingSlash() + ProtocolRoutePaths.Token : _mtlsEndpointGenerator.GetMtlsEndpointPath(ProtocolRoutePaths.Token);
             var dpopContext = new DPoPProofValidatonContext
             {
                 ExpirationValidationMode = _validatedRequest.Client.DPoPValidationMode,

identity-server/test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPTokenEndpointTests.cs

@@ -2,6 +2,7 @@
 // See LICENSE in the project root for license information.
 
 
+using System.Net;
 using Duende.IdentityModel;
 using Duende.IdentityModel.Client;
 using Duende.IdentityServer;
@@ -392,6 +393,50 @@ public async Task server_issued_nonce_should_be_emitted(ParMode parMode)
         codeResponse.DPoPNonce.ShouldBe(expectedNonce);
     }
 
+    [Fact]
+    [Trait("Category", Category)]
+    public async Task token_request_when_using_mtls_for_client_authentication_should_succeed()
+    {
+        var clientId = "mtls_client";
+        var clientCert = TestCert.Load();
+        var client = new Client
+        {
+            ClientId = clientId,
+            ClientSecrets =
+            {
+                new Secret
+                {
+                    Type = IdentityServerConstants.SecretTypes.X509CertificateThumbprint,
+                    Value = clientCert.Thumbprint
+                }
+            },
+            AllowedGrantTypes = GrantTypes.ClientCredentials,
+            AllowedScopes = { "scope1" },
+            RequireDPoP = true
+        };
+
+        Pipeline.Clients.Add(client);
+        Pipeline.Initialize();
+        Pipeline.SetClientCertificate(clientCert);
+
+        var tokenClient = Pipeline.GetMtlsClient();
+        tokenClient.DefaultRequestHeaders.Add("DPoP", CreateDPoPProofToken(htu: IdentityServerPipeline.TokenMtlsEndpoint));
+        var formParams = new Dictionary<string, string>
+        {
+            { "grant_type", "client_credentials" },
+            { "client_id", clientId },
+            { "scope", "scope1" }
+        };
+
+        var form = new FormUrlEncodedContent(formParams);
+        var response = await tokenClient.PostAsync(IdentityServerPipeline.TokenMtlsEndpoint, form);
+
+        response.StatusCode.ShouldBe(HttpStatusCode.OK);
+        var json = await response.Content.ReadAsStringAsync();
+        json.ShouldContain("access_token");
+        json.ShouldContain("\"token_type\":\"DPoP\"");
+    }
+
     internal class MockDPoPProofValidator : DefaultDPoPProofValidator
     {
         public MockDPoPProofValidator(IdentityServerOptions options, IReplayCache replayCache, IClock clock, Microsoft.AspNetCore.DataProtection.IDataProtectionProvider dataProtectionProvider, ILogger<DefaultDPoPProofValidator> logger) : base(options, replayCache, clock, dataProtectionProvider, logger)
@@ -479,22 +524,18 @@ public async Task mtls_and_dpop_request_should_succeed()
         // Set the client certificate in the pipeline
         Pipeline.SetClientCertificate(clientCert);
 
-        // Act - Make a client credentials request using mTLS and DPoP
         var tokenClient = Pipeline.GetMtlsClient();
-
         var formParams = new Dictionary<string, string>
         {
             { "grant_type", "client_credentials" },
             { "client_id", clientId },
             { "scope", "scope1" }
         };
-
         var form = new FormUrlEncodedContent(formParams);
-        tokenClient.DefaultRequestHeaders.Add("DPoP", CreateDPoPProofToken());
+        tokenClient.DefaultRequestHeaders.Add("DPoP", CreateDPoPProofToken(htu: IdentityServerPipeline.TokenMtlsEndpoint));
 
         var response = await tokenClient.PostAsync(IdentityServerPipeline.TokenMtlsEndpoint, form);
 
-        // Assert
         response.StatusCode.ShouldBe(System.Net.HttpStatusCode.OK);
 
         var json = await response.Content.ReadAsStringAsync();

identity-server/test/IdentityServer.UnitTests/Validation/Setup/Factory.cs

@@ -16,6 +16,7 @@
 using Duende.IdentityServer.Validation;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
 using UnitTests.Common;
 
 namespace UnitTests.Validation.Setup;
@@ -140,6 +141,7 @@ public static TokenRequestValidator CreateTokenRequestValidator(
             new LicenseUsageTracker(new LicenseAccessor(new IdentityServerOptions(), NullLogger<LicenseAccessor>.Instance), new NullLoggerFactory()),
             new ClientLoadedTracker(),
             new ResourceLoadedTracker(),
+            new DefaultMtlsEndpointGenerator(serverUrls, Options.Create(options)),
             TestLogger.Create<TokenRequestValidator>());
     }