Updated PAR validation to handle case where client authenticated with a cert and sent dpop proof token

Author: bhazen

identity-server/src/IdentityServer/Endpoints/PushedAuthorizationEndpoint.cs

@@ -86,6 +86,8 @@ ILogger<PushedAuthorizationEndpoint> logger
             }
 
             validationContext.DPoPProofToken = dpopHeader.First();
+            //Note: if the client authenticated with mTLS, we need to know to properly validate the htu of the DPoP proof token
+            validationContext.ClientCertificate = await context.Connection.GetClientCertificateAsync();
         }
 
         // Perform validations specific to PAR, as well as validation of the pushed parameters

identity-server/src/IdentityServer/Validation/Contexts/PushedAuthorizationRequestValidationContext.cs

@@ -3,6 +3,7 @@
 
 
 using System.Collections.Specialized;
+using System.Security.Cryptography.X509Certificates;
 using Duende.IdentityServer.Models;
 
 namespace Duende.IdentityServer.Validation;
@@ -33,6 +34,11 @@ public PushedAuthorizationRequestValidationContext(NameValueCollection requestPa
     /// </summary>
     public Client Client { get; set; }
 
+    /// <summary>
+    /// The client certificate used on the mTLS connection.
+    /// </summary>
+    public X509Certificate2 ClientCertificate { get; set; }
+
     /// <summary>
     /// The DPoP proof token sent to the endpoint, if any
     /// </summary>

identity-server/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs

@@ -18,11 +18,11 @@ namespace Duende.IdentityServer.Validation;
 /// Default validator for pushed authorization requests. This validator performs
 /// checks that are specific to pushed authorization and also invokes the <see
 /// cref="IAuthorizeRequestValidator"/> to validate the pushed parameters as if
-/// they had been sent to the authorize endpoint directly. 
+/// they had been sent to the authorize endpoint directly.
 /// </summary>
 /// <remarks>
 /// Initializes a new instance of the <see
-/// cref="PushedAuthorizationRequestValidator"/> class. 
+/// cref="PushedAuthorizationRequestValidator"/> class.
 /// </remarks>
 /// <param name="authorizeRequestValidator">The authorize request validator,
 /// used to validate the pushed authorization parameters as if they were
@@ -33,13 +33,15 @@ namespace Duende.IdentityServer.Validation;
 /// <param name="serverUrls">The server urls service</param>
 /// <param name="licenseUsage">The feature manager</param>
 /// <param name="options">The IdentityServer Options</param>
+/// <param name="mtlsEndpointGenerator">The mTLS endpoint generator</param>
 /// <param name="logger">The logger</param>
 internal class PushedAuthorizationRequestValidator(
     IAuthorizeRequestValidator authorizeRequestValidator,
     IDPoPProofValidator dpopProofValidator,
     IServerUrls serverUrls,
     LicenseUsageTracker licenseUsage,
     IdentityServerOptions options,
+    IMtlsEndpointGenerator mtlsEndpointGenerator,
     ILogger<PushedAuthorizationRequestValidator> logger) : IPushedAuthorizationRequestValidator
 {
     public async Task<PushedAuthorizationValidationResult> ValidateAsync(PushedAuthorizationRequestValidationContext context)
@@ -57,17 +59,17 @@ public async Task<PushedAuthorizationValidationResult> ValidateAsync(PushedAutho
 
         // -- DPoP Header Validation --
         // The client can send the public key of its DPoP proof key to us. We
-        // then bind its authorization code to the proof key and check for a 
+        // then bind its authorization code to the proof key and check for a
         // proof token signed with the key at the token endpoint.
-        //  
-        // There are two ways for the client to send its DPoP proof key public 
+        //
+        // There are two ways for the client to send its DPoP proof key public
         // key material to us:
         // 1. pass the dpop_jkt parameter with a JWK thumbprint (RFC 7638)
-        // 2. send a DPoP proof (which contains the public key as a JWK) in the 
+        // 2. send a DPoP proof (which contains the public key as a JWK) in the
         //    DPoP http header
         //
-        // If a proof is passed, then we validate it, compute the thumbprint of 
-        // the key within, and treat that as if it were passed as the dpop_jkt 
+        // If a proof is passed, then we validate it, compute the thumbprint of
+        // the key within, and treat that as if it were passed as the dpop_jkt
         // parameter.
         //
         // If a proof and a dpop_jkt are both passed, its an error if they don't
@@ -84,7 +86,7 @@ public async Task<PushedAuthorizationValidationResult> ValidateAsync(PushedAutho
             }
 
             // validate proof token
-            var parUrl = serverUrls.BaseUrl.EnsureTrailingSlash() + ProtocolRoutePaths.PushedAuthorization;
+            var parUrl = context.ClientCertificate == null ? serverUrls.BaseUrl.EnsureTrailingSlash() + ProtocolRoutePaths.PushedAuthorization : mtlsEndpointGenerator.GetMtlsEndpointPath(ProtocolRoutePaths.PushedAuthorization);
             var dpopContext = new DPoPProofValidatonContext
             {
                 ProofToken = context.DPoPProofToken,

identity-server/test/IdentityServer.IntegrationTests/Common/IdentityServerPipeline.cs

@@ -49,6 +49,7 @@ public class IdentityServerPipeline
     public const string EndSessionCallbackEndpoint = BaseUrl + "/connect/endsession/callback";
     public const string CheckSessionEndpoint = BaseUrl + "/connect/checksession";
     public const string ParEndpoint = BaseUrl + "/connect/par";
+    public const string ParMtlsEndpoint = BaseUrl + "/connect/mtls/par";
 
 
     public const string FederatedSignOutPath = "/signout-oidc";

identity-server/test/IdentityServer.IntegrationTests/Endpoints/Token/DPoPPushedAuthorizationEndpointTests.cs

@@ -4,8 +4,11 @@
 
 using Duende.IdentityModel;
 using Duende.IdentityModel.Client;
+using Duende.IdentityServer;
+using Duende.IdentityServer.Models;
 using IntegrationTests.Common;
 using IntegrationTests.Endpoints.Token;
+using PushedAuthorizationRequest = Duende.IdentityModel.Client.PushedAuthorizationRequest;
 
 namespace IntegrationTests.Endpoints.PushedAuthorization;
 
@@ -107,4 +110,44 @@ public async Task mismatch_between_header_and_thumbprint_should_fail()
         response.IsError.ShouldBeTrue();
         response.Error.ShouldBe(OidcConstants.AuthorizeErrors.InvalidRequest);
     }
+
+    [Fact]
+    public async Task push_authorization_with_mtls_client_auth_and_dpop_should_succeed()
+    {
+        var clientId = "mtls_dpop_client";
+        var clientCert = TestCert.Load();
+
+        // Add a client that requires mTLS and supports DPoP
+        var client = new Client
+        {
+            ClientId = clientId,
+            ClientSecrets =
+            {
+                new Secret
+                {
+                    Type = IdentityServerConstants.SecretTypes.X509CertificateThumbprint,
+                    Value = clientCert.Thumbprint
+                }
+            },
+            AllowedGrantTypes = GrantTypes.Code,
+            RedirectUris = { "https://client1/callback" },
+            AllowedScopes = { "scope1" },
+            RequireDPoP = true
+        };
+
+        Pipeline.Clients.Add(client);
+        Pipeline.Initialize();
+
+        // Set the client certificate in the pipeline
+        Pipeline.SetClientCertificate(clientCert);
+
+        var tokenClient = Pipeline.GetMtlsClient();
+        var proofToken = CreateDPoPProofToken(htu: IdentityServerPipeline.ParMtlsEndpoint);
+        tokenClient.DefaultRequestHeaders.Add("DPoP", proofToken);
+        var request = CreatePushedAuthorizationRequest(proofToken);
+
+        var response = await tokenClient.PushAuthorizationAsync(request);
+
+        response.IsError.ShouldBeFalse();
+    }
 }