Post CMS Connect-a-thon 5

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "dotnet-ef": {
-      "version": "8.0.5",
+      "version": "8.0.7",
       "commands": [
         "dotnet-ef"
       ]

Directory.Packages.props

@@ -4,30 +4,29 @@
   </PropertyGroup>
   <ItemGroup>
     <!-- https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges -->
-    <PackageVersion Include="Duende.IdentityServer.Storage" Version="6.3.7" />
+    <PackageVersion Include="Duende.IdentityServer.Storage" Version="7.0.5" />
     <PackageVersion Include="Google.Apis.Auth" Version="1.68.0" />
     <PackageVersion Include="LazyCache" Version="2.4.0" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.3" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.6" />
     <PackageVersion Include="AspNetCoreRateLimit" Version="5.0.0" />
-    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.8.1" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.5" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.5" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.5" />
+    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.8.2" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.7" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.7" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.7" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.5.2" />
-    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="7.5.2" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.6.3" />
     <PackageVersion Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageVersion Include="MSTest.TestFramework" Version="3.1.1" />
     <PackageVersion Include="IdentityModel" Version="7.0.0" />
     <!-- <PackageVersion Include="System.Text.Json" Version="[6.0.7,8.0.3]" /> -->
     <PackageVersion Include="AutoMapper" Version="13.0.1" />
-    <PackageVersion Include="Duende.IdentityServer" Version="7.0.4" />
-    <PackageVersion Include="Duende.IdentityServer.AspNetIdentity" Version="7.0.4" />
-    <PackageVersion Include="Duende.IdentityServer.EntityFramework.Storage" Version="7.0.4" />
+    <PackageVersion Include="Duende.IdentityServer" Version="7.0.5" />
+    <PackageVersion Include="Duende.IdentityServer.AspNetIdentity" Version="7.0.5" />
+    <PackageVersion Include="Duende.IdentityServer.EntityFramework.Storage" Version="7.0.5" />
     <PackageVersion Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.2.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc" Version="2.2.0" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.5" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.7" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="[7.0.13,8.0.1]" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="[7.0.13,8.0.0]" />
     <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.20.1" />
@@ -37,18 +36,18 @@
     <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="[6.0.0,7.0.1]" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="8.0.2" />
     <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.5.2" />
-    <PackageVersion Include="OpenTelemetry" Version="1.8.1" />
-    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.8.1" />
-    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.8.1" />
-    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.8.1" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.8.1" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.8.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.0.0" />
+    <PackageVersion Include="OpenTelemetry" Version="1.9.0" />
+    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.9.0" />
+    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.9.0" />
+    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.9.0" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.9.0" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.9.0" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.SqlClient" Version="1.0.0-rc9.14" />
     <PackageVersion Include="Serilog.AspNetCore" Version="[6.1.0,7.0.0]" />
     <PackageVersion Include="Serilog.Extensions.Logging" Version="[3.1.0,7.0.0]" />
     <PackageVersion Include="Portable.BouncyCastle" Version="1.9.0" />
-    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.5.2" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="8.0.0" />
     <PackageVersion Include="Udap.Metadata.Server" Version="0.3.24" />
     <PackageVersion Include="Yarp.ReverseProxy" Version="2.1.0" />
   </ItemGroup>

Udap.Client/Client/DiscoveryEndpoint.cs

@@ -17,14 +17,20 @@ public class DiscoveryEndpoint
     /// Parses a URL and turns it into authority and discovery endpoint URL.
     /// </summary>
     /// <param name="input">The input.</param>
-    /// <param name="path">The path to the discovery document. If not specified this defaults to .well-known/open-id-configuration</param>
+    /// <param name="path">The path to the discovery document. If not specified this defaults to .well-known/udap</param>
     /// <param name="community">Optional community qualifier</param>
     /// <returns></returns>
     /// <exception cref="System.InvalidOperationException">
     /// Malformed URL
     /// </exception>
     public static DiscoveryEndpoint ParseUrl(string input, string? path = null, string? community = null)
     {
+        if (input.Contains(UdapConstants.Discovery.DiscoveryEndpoint))
+        {
+            var i = input.IndexOf(UdapConstants.Discovery.DiscoveryEndpoint, StringComparison.Ordinal);
+            return new DiscoveryEndpoint(input.Substring(0, i).RemoveTrailingSlash(), input);
+        }
+
         if (string.IsNullOrEmpty(path))
         {
             path = UdapConstants.Discovery.DiscoveryEndpoint;

Udap.Client/Client/Extensions/HttpUdapClientDiscoveryExtensions.cs

@@ -101,7 +101,6 @@ public static async Task<UdapDiscoveryDocumentResponse> GetUdapDiscoveryDocument
                             $"Error connecting to {url}: {response.ReasonPhrase}").ConfigureAwait(false);
                 }
 
-                var joe = await response.Content.ReadAsStringAsync().ConfigureAwait(false);
                 var disco = await ProtocolResponse
                     .FromHttpResponseAsync<UdapDiscoveryDocumentResponse>(response, request.Policy)
                     .ConfigureAwait(false);

Udap.Client/Client/IUdapClient.cs

@@ -21,7 +21,6 @@ namespace Udap.Client.Client;
 
 public interface IUdapClient : IUdapClientEvents
 {
-    //TODO Cancellation Token add...
     Task<UdapDiscoveryDocumentResponse> ValidateResource(
         string baseUrl,
         string? community = null,
@@ -41,7 +40,7 @@ Task<UdapDiscoveryDocumentResponse> ValidateResource(
 
     /// <summary>
     /// Register a TieredClient in the Authorization Server.
-    /// Currently it is not SAN aware.  It picks the first SAN.
+    /// Currently, it is not SAN aware.  It picks the first SAN.
     /// To pick a different community the client can add a community query parameter to the .
     /// </summary>
     /// <param name="redirectUrl"></param>

Udap.Client/Client/UdapClient.cs

@@ -22,6 +22,7 @@
 using Udap.Client.Configuration;
 using Udap.Client.Extensions;
 using Udap.Common.Certificates;
+using Udap.Common.Extensions;
 using Udap.Model;
 using Udap.Model.Access;
 using Udap.Model.Registration;
@@ -317,6 +318,12 @@ private async Task<UdapDiscoveryDocumentResponse> InternalValidateResource(
                     UdapServerMetaData = disco.Json?.Deserialize<UdapMetadata>();
                     _logger.LogDebug(UdapServerMetaData?.SerializeToJson());
 
+                    if (baseUrl.Contains(UdapConstants.Discovery.DiscoveryEndpoint))
+                    {
+                        var i = baseUrl.IndexOf(UdapConstants.Discovery.DiscoveryEndpoint, StringComparison.Ordinal);
+                        baseUrl = baseUrl.Substring(0, i).RemoveTrailingSlash();
+                    }
+
                     if (!await _clientDiscoveryValidator.ValidateJwtToken(UdapServerMetaData!, baseUrl))
                     {
                         throw new SecurityTokenInvalidTypeException("Failed JWT Token Validation");

Udap.Client/Udap.Client.csproj

@@ -26,7 +26,7 @@
   </ItemGroup>
 
 
-  <ItemGroup >
+  <ItemGroup>
     <PackageReference Include="IdentityModel" />
   </ItemGroup>
 

Udap.Common/Certificates/TrustChainValidator.cs

@@ -137,9 +137,21 @@
             {
                 throw new ArgumentNullException(nameof(certificate));
             }
-
+
+            // Let's avoid complex state and/or race conditions by making copies of these collections.
+            X509Certificate2Collection roots = new X509Certificate2Collection(anchorCertificates); 
+            X509Certificate2Collection? intermeds = null;
+
+            if (intermediateCertificates != null)
+            {
+                intermeds = new X509Certificate2Collection(intermediateCertificates);
+            }
+
+            intermediateCertificates = null;
+            anchorCertificates = null;
+
             // if there are no anchors we should always fail
-            if (anchorCertificates.IsNullOrEmpty())
+            if (roots.IsNullOrEmpty())
             {
                 this.NotifyUntrusted(certificate);
                 return false;
@@ -159,19 +171,19 @@
                 // Again more to test here.
                 //
 
-                var chainBuilder = new X509Chain();
+                using var chainBuilder = new X509Chain();
 
-                if (!anchorCertificates.IsNullOrEmpty())
+                if (!roots.IsNullOrEmpty())
                 {
                     chainPolicy.CustomTrustStore.Clear();
                     chainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
-                    chainPolicy.CustomTrustStore.AddRange(anchorCertificates);
+                    chainPolicy.CustomTrustStore.AddRange(roots);
                 }
 
                 chainBuilder.ChainPolicy = chainPolicy;
-                if (intermediateCertificates != null)
+                if (intermeds != null)
                 {
-                    chainBuilder.ChainPolicy.ExtraStore.AddRange(intermediateCertificates!);
+                    chainBuilder.ChainPolicy.ExtraStore.AddRange(intermeds!);
                 }
                 var result = chainBuilder.Build(certificate);
 
@@ -191,7 +203,7 @@
                 // walk the chain starting at the leaf and see if we hit any issues before the anchor
                 foreach (var chainElement in chainElements)
                 {
-                    bool isAnchor = anchorCertificates?.FindByThumbprint(chainElement.Certificate.Thumbprint) != null;
+                    bool isAnchor = roots?.FindByThumbprint(chainElement.Certificate.Thumbprint) != null;
 
                     if (this.ChainElementHasProblems(chainElement))
                     {

Udap.Common/Standard/ObjectIdentifiers.cs

@@ -0,0 +1,27 @@
+#region (c) 2024 Joseph Shook. All rights reserved.
+// /*
+//  Authors:
+//     Joseph Shook   Joseph.Shook@Surescripts.com
+// 
+//  See LICENSE in the project root for license information.
+// */
+#endregion
+
+namespace Udap.Common.Standard;
+public static class ObjectIdentifiers
+{
+    public static class UdapExperimental
+    {
+        public static class UdapAccessControl
+        {
+            public static class General
+            {
+                public const string Create = "1.3.6.1.4.1.12345.1.1";
+                public const string Read = "1.3.6.1.4.1.12345.1.2";
+                public const string Update = "1.3.6.1.4.1.12345.1.3";
+                public const string Delete = "1.3.6.1.4.1.12345.1.4";
+                public const string Admin = "1.3.6.1.4.1.12345.1.5";
+            }
+        }
+    }
+}

Udap.Model/Registration/UdapCertificationAndEndorsementDocument.cs

@@ -8,6 +8,7 @@
 #endregion
 
 using System;
+using System.Collections.Generic;
 using System.IdentityModel.Tokens.Jwt;
 using System.Text.Json;
 using System.Text.Json.Serialization;
@@ -53,6 +54,13 @@ public UdapCertificationAndEndorsementDocument(string certificationName)
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.Subject)]
     public string? Subject { get; set; }
 
+    /// <summary>
+    /// string, registration endpoint URL of Authorization Server (optional, single valued or array).
+    /// If absent, this certification is intended for all audiences.
+    /// </summary>
+    [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.Audience)]
+    public string? Audience { get; set; }
+
     /// <summary>
     /// number, expiration time (max 3 years, must not expire after certificate).
     /// Expressed in seconds since the "Epoch".
@@ -117,7 +125,7 @@ public UdapCertificationAndEndorsementDocument(string certificationName)
     /// true if this certification represents an endorsement of the Client App by the issuer.
     /// </summary>
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.IsEndorsement)]
-    public bool? IsEndorsement { get; set; }
+    public bool? IsEndorsement { get; set; } = false;
 
     /// <summary>
     /// string (optional)
@@ -179,7 +187,7 @@ public UdapCertificationAndEndorsementDocument(string certificationName)
     /// so that AS operator can contact client app developer
     /// </summary>
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.Contacts)]
-    public string[]? Contacts { get; set; }
+    public ICollection<string>? Contacts { get; set; }
 
     /// <summary>
     /// string, for SMART app launch with EHR launch flow, requires scope includes launch
@@ -203,27 +211,27 @@ public UdapCertificationAndEndorsementDocument(string certificationName)
     /// contain any wildcard symbols, even if the certification includes a wildcard symbol.
     /// </summary>
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.RedirectUris)]
-    public string[]? RedirectUris { get; set; }
+    public ICollection<string>? RedirectUris { get; set; }
 
     /// <summary>
     /// array of strings of the form ip, ip1-ip2, or ip/CIDR (optional); origin IP to connect 
     /// to token endpoint, e.g. ["198.51.100.0/24", "203.0.113.55"]
     /// </summary>
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.IpAllowed)]
-    public string[]? IpAllowed { get; set; }
+    public ICollection<string>? IpAllowed { get; set; }
 
     /// <summary>
     /// array of strings, as per RFC 7591; e.g. authorization_code, refresh_token, 
     /// client_credentials (optional)
     /// </summary>
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.GrantTypes)]
-    public string[]? GrantTypes { get; set; }
+    public ICollection<string>? GrantTypes { get; set; }
 
     /// <summary>
     /// array of strings, as per RFC 7591; code (omit for client_credentials) (optional)
     /// </summary>
     [JsonPropertyName(UdapConstants.CertificationAndEndorsementDocumentValues.ResponseTypes)]
-    public string[]? ResponseTypes { get; set; }
+    public ICollection<string>? ResponseTypes { get; set; }
 
     /// <summary>
     /// string containing space separate list of permitted scopes, as per RFC 7591; optional