Merge pull request #609 from JoeShook/develop

Develop Maintenance

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "dotnet-ef": {
-      "version": "8.0.7",
+      "version": "8.0.8",
       "commands": [
         "dotnet-ef"
       ]

Directory.Packages.props

@@ -4,39 +4,39 @@
   </PropertyGroup>
   <ItemGroup>
     <!-- https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges -->
-    <PackageVersion Include="Duende.IdentityServer.Storage" Version="7.0.5" />
+    <PackageVersion Include="Duende.IdentityServer.Storage" Version="7.0.6" />
     <PackageVersion Include="Google.Apis.Auth" Version="1.68.0" />
     <PackageVersion Include="LazyCache" Version="2.4.0" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.6" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="[6.0.32,8.0.8]" />
     <PackageVersion Include="AspNetCoreRateLimit" Version="5.0.0" />
-    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.8.2" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.7" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.7" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.7" />
+    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.9.1" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.8" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.8" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.8" />
+    <PackageVersion Include="Microsoft.Extensions.Configuration.Binder" Version="8.0.2" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.6.3" />
     <PackageVersion Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageVersion Include="MSTest.TestFramework" Version="3.1.1" />
     <PackageVersion Include="IdentityModel" Version="7.0.0" />
     <!-- <PackageVersion Include="System.Text.Json" Version="[6.0.7,8.0.3]" /> -->
     <PackageVersion Include="AutoMapper" Version="13.0.1" />
-    <PackageVersion Include="Duende.IdentityServer" Version="7.0.5" />
-    <PackageVersion Include="Duende.IdentityServer.AspNetIdentity" Version="7.0.5" />
-    <PackageVersion Include="Duende.IdentityServer.EntityFramework.Storage" Version="7.0.5" />
+    <PackageVersion Include="Duende.IdentityServer" Version="7.0.6" />
+    <PackageVersion Include="Duende.IdentityServer.AspNetIdentity" Version="7.0.6" />
+    <PackageVersion Include="Duende.IdentityServer.EntityFramework.Storage" Version="7.0.6" />
     <PackageVersion Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.2.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc" Version="2.2.0" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.7" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.8" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="[7.0.13,8.0.1]" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="[7.0.13,8.0.0]" />
-    <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.20.1" />
+    <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.21.0" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="[7.0.14,8.0.1]" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="[6.0.0,7.0.0]" />
     <PackageVersion Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="[6.0.0,7.0.1]" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="8.0.2" />
     <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.0.1" />
     <PackageVersion Include="OpenTelemetry" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.9.0" />
@@ -47,7 +47,7 @@
     <PackageVersion Include="Serilog.AspNetCore" Version="[6.1.0,7.0.0]" />
     <PackageVersion Include="Serilog.Extensions.Logging" Version="[3.1.0,7.0.0]" />
     <PackageVersion Include="Portable.BouncyCastle" Version="1.9.0" />
-    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.0.0" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.0.1" />
     <PackageVersion Include="Udap.Metadata.Server" Version="0.3.24" />
     <PackageVersion Include="Yarp.ReverseProxy" Version="2.1.0" />
   </ItemGroup>

Udap.Client/Client/DiscoveryPolicy.cs

@@ -17,7 +17,6 @@ public static DiscoveryPolicy DefaultMetadataServerPolicy()
     {
         return new DiscoveryPolicy
         {
-            ValidateIssuerName = false, // No issuer name in UDAP Metadata of FHIR Server.
             ValidateEndpoints = false // Authority endpoints are not hosted on same domain as resource server.
         };
     }
@@ -55,11 +54,6 @@ public static DiscoveryPolicy DefaultMetadataServerPolicy()
     /// </summary>
     public ICollection<string> LoopbackAddresses = new HashSet<string> { "localhost", "127.0.0.1" };
 
-    /// <summary>
-    /// Specifies if the issuer name is checked to be identical to the authority. Defaults to true.
-    /// </summary>
-    public bool ValidateIssuerName { get; set; } = true;
-
     /// <summary>
     /// Specifies if all endpoints are checked to belong to the authority. Defaults to true.
     /// </summary>

Udap.Client/Client/IUdapClient.cs

@@ -21,6 +21,16 @@ namespace Udap.Client.Client;
 
 public interface IUdapClient : IUdapClientEvents
 {
+    /// <summary>
+    /// Query the UDAP well-known endpoint and validate the metadata.
+    /// The metadata will contain a signed JWT.  The signed JWT will be validated.  The <see cref="DiscoveryPolicy"/> can
+    /// be supplied to override the default policy but, it would not be typical.
+    /// </summary>
+    /// <param name="baseUrl"></param>
+    /// <param name="community"></param>
+    /// <param name="discoveryPolicy"></param>
+    /// <param name="token"></param>
+    /// <returns></returns>
     Task<UdapDiscoveryDocumentResponse> ValidateResource(
         string baseUrl,
         string? community = null,

Udap.Client/Client/Messages/UdapDiscoveryDocumentResponse.cs

@@ -55,7 +55,6 @@ protected override Task InitializeAsync(object? initializationData = null)
     public JsonWebKeySet? KeySet { get; set; }
 
     // strongly typed
-    public string? Issuer => TryGetString(UdapConstants.Discovery.Issuer);
     public IEnumerable<string> UdapVersionsSupported => TryGetStringArray(UdapConstants.Discovery.UdapVersionsSupported);
     public IEnumerable<string> UdapProfilesSupported => TryGetStringArray(UdapConstants.Discovery.UdapProfilesSupported);
     public IEnumerable<string> UdapAuthorizationExtensionsSupported => TryGetStringArray(UdapConstants.Discovery.UdapAuthorizationExtensionsSupported);
@@ -78,25 +77,11 @@ protected override Task InitializeAsync(object? initializationData = null)
     public string? RegistrationEndpoint => TryGetString(UdapConstants.Discovery.RegistrationEndpoint);
 
     // generic
-    public JsonElement? TryGetValue(string name) => Json?.TryGetValue(name);
-    public string? TryGetString(string name) => Json?.TryGetString(name);
-    public bool? TryGetBoolean(string name) => Json?.TryGetBoolean(name);
-    public IEnumerable<string>? TryGetStringArray(string name) => Json?.TryGetStringArray(name);
+    private string? TryGetString(string name) => Json?.TryGetString(name);
+    private IEnumerable<string>? TryGetStringArray(string name) => Json?.TryGetStringArray(name);
 
     private string Validate(DiscoveryPolicy policy)
     {
-        if (policy.ValidateIssuerName)
-        {
-            IAuthorityValidationStrategy strategy = policy.AuthorityValidationStrategy;
-
-            AuthorityValidationResult issuerValidationResult = strategy.IsIssuerNameValid(Issuer, policy.Authority);
-
-            if (!issuerValidationResult.Success)
-            {
-                return issuerValidationResult.ErrorMessage;
-            }
-        }
-
         if (Json.HasValue)
         {
             var error = ValidateEndpoints(Json.Value, policy);

Udap.Client/Client/UdapClient.cs

@@ -233,7 +233,7 @@ public async Task<TokenResponse> ExchangeCodeForTokenResponse(
         }
 
         /// <summary>
-        /// Sends a token request using the authorization_code grant type.  Typically used when called from
+        /// Sends a token request using the authorization_code grant type.  Typically used when called
         /// from a OAuthHandler implementation.  TieredOAuthAuthenticationHandler is an implementation that
         /// calls this method.
         /// </summary>
@@ -324,7 +324,12 @@ private async Task<UdapDiscoveryDocumentResponse> InternalValidateResource(
                         baseUrl = baseUrl.Substring(0, i).RemoveTrailingSlash();
                     }
 
-                    if (!await _clientDiscoveryValidator.ValidateJwtToken(UdapServerMetaData!, baseUrl))
+                    if (UdapServerMetaData == null)
+                    {
+                        throw new NullReferenceException("Missing UDAP Metadata");
+                    }
+
+                    if (!await _clientDiscoveryValidator.ValidateJwtToken(UdapServerMetaData, baseUrl))
                     {
                         throw new SecurityTokenInvalidTypeException("Failed JWT Token Validation");
                     }
@@ -455,12 +460,7 @@ private async Task<UdapDynamicClientRegistrationDocument> RegisterAuthCodeFlow(
                     builder.WithIssuer(new Uri(issuer));
                 }
 
-                var document = builder.Build();
-
-                var signedSoftwareStatement =
-                    SignedSoftwareStatementBuilder<UdapDynamicClientRegistrationDocument>
-                        .Create(clientCert, document)
-                        .Build();
+                var signedSoftwareStatement = builder.BuildSoftwareStatement();
 
                 var requestBody = new UdapRegisterRequest
                 (

Udap.Client/Client/UdapClientDiscoveryValidator.cs

@@ -7,10 +7,10 @@
 // */
 #endregion
 
-using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Logging;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;
+using System.Security.Cryptography.X509Certificates;
 using Udap.Common.Certificates;
 using Udap.Common.Extensions;
 using Udap.Common.Models;
@@ -19,6 +19,9 @@
 
 namespace Udap.Client.Client;
 
+/// <summary>
+/// Validator orchestrates JWT validation followed by x509 chain validation
+/// </summary>
 public class UdapClientDiscoveryValidator : IUdapClientEvents
 {
     private readonly TrustChainValidator _trustChainValidator;
@@ -177,7 +180,10 @@ public async Task<bool> ValidateTrustChain(string? community, ITrustAnchorStore?
             throw new UnauthorizedAccessException("Failed Trust Chain Validation: Missing public certificate");
         }
 
-        var store = clientSuppliedTrustAnchorStore ?? (_trustAnchorStore == null ? null : await _trustAnchorStore.Resolve());
+        var store = clientSuppliedTrustAnchorStore != null ? 
+            await clientSuppliedTrustAnchorStore.Resolve()
+            : (_trustAnchorStore == null ? null : await _trustAnchorStore.Resolve());
+
         var anchors = X509Certificate2Collection(community, store).ToList();
 
         if (!anchors.Any())

Udap.Client/Configuration/UdapClientOptions.cs

@@ -8,8 +8,34 @@
 #endregion
 
 using System.Text.Json.Serialization;
+using Udap.Client.Client;
 
 namespace Udap.Client.Configuration;
+
+/// <summary>
+/// Properties that can be configured by a client application using the <see cref="UdapClient"/>.
+/// Typically placed in appsettings under the name UdapClientOptions and registered with dependency injection.
+/// </summary>
+/// <remarks>
+///
+/// <pre>
+///
+/// services.Configure&lt;UdapClientOptions&gt;(configuration.GetSection("UdapClientOptions")); <br/><br/>
+///
+/// 
+/// "UdapClientOptions": { 
+///    "ClientName": "Udap.Auth.SecuredControls",
+///    "Contacts": [ "mailto:Joseph.Shook@Surescripts.com", "mailto:JoeShook@gmail.com" ],
+///    "Headers": {
+///        "USER_KEY": "hobojoe",
+///        "ORG_KEY": "travelOrg"
+///    },
+///    "TieredOAuthClientLogo": "https://securedcontrols.net/_content/Udap.UI/udapAuthLogo.jpg"
+/// }
+///  
+/// </pre>
+/// </remarks>
+
 public class UdapClientOptions
 {
     [JsonPropertyName("ClientName")]

Udap.Client/Udap.Client.csproj

@@ -42,6 +42,10 @@
     <None Include="../artwork/UDAP_Ecosystem_Gears 48X48.jpg" Pack="true" PackagePath="\" />
   </ItemGroup>
 
+  <ItemGroup>
+    <Folder Include="Internal\" />
+  </ItemGroup>
+
   <!-- <ItemGroup Condition="'$(TargetFramework)' == 'net8.0'"> -->
   <!--   <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" /> -->
   <!-- </ItemGroup> -->