auth0 · frederikprijck · Oct 17, 2022 · Oct 6, 2022 · Oct 6, 2022 · Oct 6, 2022
@@ -17,7 +17,7 @@ namespace Auth0.AuthenticationApi
     /// </remarks>
     public class AuthenticationApiClient : IAuthenticationApiClient, IDisposable
     {
-        static readonly IdTokenValidator idTokenValidator = new IdTokenValidator();
+        readonly IdTokenValidator idTokenValidator;
         readonly TimeSpan idTokenValidationLeeway = TimeSpan.FromMinutes(1);
         readonly Uri tokenUri;
         protected readonly IAuthenticationConnection connection;        
@@ -51,6 +51,8 @@ public AuthenticationApiClient(Uri baseUri, IAuthenticationConnection connection
                 this.connection = connection;
             }
 
+            idTokenValidator = new IdTokenValidator(new OpenIdConnectDocumentRetriever(this.connection));
+
             tokenUri = BuildUri("oauth/token");
         }
 

@@ -1,4 +1,5 @@
 using Auth0.AuthenticationApi.Tokens;
+using Microsoft.IdentityModel.Protocols;
 using System;
 using System.IdentityModel.Tokens.Jwt;
 using System.Threading.Tasks;
@@ -9,7 +10,12 @@ internal class IdTokenValidator
     {
         readonly TimeSpan maxJwksKeySetValidFor = TimeSpan.FromMinutes(10);
         readonly TimeSpan minJwksRefreshInterval = TimeSpan.FromSeconds(15);
-        readonly JsonWebKeyCache jsonWebKeyCache = new JsonWebKeyCache();
+        readonly JsonWebKeyCache jsonWebKeyCache;
+
+        public IdTokenValidator(IDocumentRetriever openIdConnectDocumentRetriever = null)
+        {
+            jsonWebKeyCache = new JsonWebKeyCache(new JsonWebKeys(openIdConnectDocumentRetriever));
+        }
 
         public async Task Assert(IdTokenRequirements requirements, string idToken, string clientSecret, DateTime? pointInTime = null)
         {

@@ -6,7 +6,12 @@ namespace Auth0.AuthenticationApi.Tokens
 {
     internal class JsonWebKeyCache
     {
-        readonly AsyncAgedCache<string, JsonWebKeySet> cache = new AsyncAgedCache<string, JsonWebKeySet>(JsonWebKeys.GetForIssuer);
+        readonly AsyncAgedCache<string, JsonWebKeySet> cache;
+
+        public JsonWebKeyCache(JsonWebKeys jsonWebKeys)
+        {
+            cache = new AsyncAgedCache<string, JsonWebKeySet>(jsonWebKeys.GetForIssuer);
+        }
 
         public Task<JsonWebKeySet> Get(string issuer, TimeSpan maxAge)
         {

@@ -6,20 +6,27 @@
 
 namespace Auth0.AuthenticationApi.Tokens
 {
-    static class JsonWebKeys
+    internal class JsonWebKeys
     {
-        public static async Task<JsonWebKeySet> GetForIssuer(string issuer)
+        private readonly IDocumentRetriever openIdConnectDocumentRetriever;
+
+        public JsonWebKeys(IDocumentRetriever openIdConnectDocumentRetriever = null)
+        {
+            this.openIdConnectDocumentRetriever = openIdConnectDocumentRetriever;
+        }
+
+        public async Task<JsonWebKeySet> GetForIssuer(string issuer)
         {
             var metadataAddress = new UriBuilder(issuer) { Path = "/.well-known/openid-configuration" }.Uri.OriginalString;
             var openIdConfiguration = await GetOpenIdConfiguration(metadataAddress).ConfigureAwait(false);
             return openIdConfiguration.JsonWebKeySet;
         }
 
-        private static Task<OpenIdConnectConfiguration> GetOpenIdConfiguration(string metadataAddress)
+        private Task<OpenIdConnectConfiguration> GetOpenIdConfiguration(string metadataAddress)
         {
             try
             {
-                var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, new OpenIdConnectConfigurationRetriever());
+                var configurationManager = openIdConnectDocumentRetriever != null ? new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, new OpenIdConnectConfigurationRetriever(), openIdConnectDocumentRetriever) : new ConfigurationManager<OpenIdConnectConfiguration>(metadataAddress, new OpenIdConnectConfigurationRetriever());
                 return configurationManager.GetConfigurationAsync();
             }
             catch (Exception e)

@@ -0,0 +1,22 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.Protocols;
+
+namespace Auth0.AuthenticationApi.Tokens
+{
+    internal class OpenIdConnectDocumentRetriever : IDocumentRetriever
+    {
+        private readonly IAuthenticationConnection connection;
+
+        public OpenIdConnectDocumentRetriever(IAuthenticationConnection connection)
+        {
+            this.connection = connection;
+        }
+
+        public Task<string> GetDocumentAsync(string address, CancellationToken cancel)
+        {
+            return connection.GetAsync<string>(new Uri(address), cancellationToken: cancel);
+        }
+    }
+}
@@ -88,6 +88,35 @@ public async Task Passes_Token_Validation_RS256()
             }
         }
 
+        [Fact]
+        public async Task Passes_Token_Validation_RS256_With_Document_Retreiver()
+        {
+            var authUrl = GetVariable("AUTH0_AUTHENTICATION_API_URL");
+            var clientId = GetVariable("AUTH0_CLIENT_ID");
+            var clientSecret = GetVariable("AUTH0_CLIENT_SECRET");
+
+            // Arrange
+            var connection = new TestHttpClientAuthenticationConnection();
+            var documentRetreiver = new OpenIdConnectDocumentRetriever(connection);
+            using (var authenticationApiClient = new TestAuthenticationApiClient(authUrl, connection))
+            {
+                // Act
+                var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
+                {
+                    ClientId = clientId,
+                    ClientSecret = clientSecret,
+                    Realm = _connection.Name,
+                    Scope = "openid",
+                    Username = _user.Email,
+                    Password = Password
+                });
+
+                var issuer = $"https://{authUrl}/";
+                var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.RS256, issuer, clientId, TimeSpan.FromMinutes(1));
+                await new IdTokenValidator(documentRetreiver).Assert(requirements, authenticationResponse.IdToken, clientSecret);
+            }
+        }
+
         [Fact]
         public async Task Passes_Token_Validation_HS256()
         {
@@ -116,6 +145,36 @@ public async Task Passes_Token_Validation_HS256()
             }
         }
 
+        [Fact]
+        public async Task Passes_Token_Validation_HS256_With_Document_Retreiver()
+        {
+            var authUrl = GetVariable("AUTH0_AUTHENTICATION_API_URL");
+            var clientId = GetVariable("AUTH0_HS256_CLIENT_ID");
+            var clientSecret = GetVariable("AUTH0_HS256_CLIENT_SECRET");
+
+            // Arrange
+            var connection = new TestHttpClientAuthenticationConnection();
+            var documentRetreiver = new OpenIdConnectDocumentRetriever(connection);
+            using (var authenticationApiClient = new TestAuthenticationApiClient(authUrl, connection))
+            {
+                // Act
+                var authenticationResponse = await authenticationApiClient.GetTokenAsync(new ResourceOwnerTokenRequest
+                {
+                    ClientId = clientId,
+                    ClientSecret = clientSecret,
+                    Realm = _connection.Name,
+                    SigningAlgorithm = JwtSignatureAlgorithm.HS256,
+                    Scope = "openid",
+                    Username = _user.Email,
+                    Password = Password
+                });
+
+                var issuer = $"https://{authUrl}/";
+                var requirements = new IdTokenRequirements(JwtSignatureAlgorithm.HS256, issuer, clientId, TimeSpan.FromMinutes(1));
+                await new IdTokenValidator(documentRetreiver).Assert(requirements, authenticationResponse.IdToken, clientSecret);
+            }
+        }
+
         [Fact]
         public async Task Passes_Token_Validation_With_CNAME()
         {