Introduce the capability to refresh the dpop proof on a retry#344
Merged
Erwinvandervalk merged 1 commit intomainfrom Mar 17, 2026
Merged
Introduce the capability to refresh the dpop proof on a retry#344Erwinvandervalk merged 1 commit intomainfrom
Erwinvandervalk merged 1 commit intomainfrom
Conversation
This was referenced Mar 16, 2026
Closed
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-oidc-client
branch
from
6dde893 to
a5a4de2
Compare
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-identity-model
branch
from
68933eb to
eae9f10
Compare
Base automatically changed from
fix/dpop-client-assertion-identity-model
to
main
March 16, 2026 13:24
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-oidc-client
branch
from
a5a4de2 to
1758074
Compare
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-oidc-client
branch
from
4f69935 to
04a6824
Compare
Erwinvandervalk
changed the title
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-oidc-client
branch
from
04a6824 to
2e50087
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR wires on-demand client assertion generation into the OidcClient token/PAR flows and ensures DPoP nonce retries can regenerate client assertions (avoiding stale/replayed assertions), with expanded tests and an updated console sample demonstrating the pattern.
Changes:
- Pass
ClientAssertionFactoryinto OIDC code exchange, refresh token, and PAR requests. - Regenerate client assertions on DPoP nonce retry inside
ProofTokenMessageHandler. - Add a console sample
ClientAssertionServiceand expand DPoP test coverage around assertion regeneration.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| identity-model-oidc-client/test/IdentityModel.OidcClient.Tests/DPoP/DPoPTests.cs | Adds tests verifying client assertion refresh behavior on DPoP nonce retries and maintains backward-compat behavior without a factory. |
| identity-model-oidc-client/src/IdentityModel.OidcClient/ResponseProcessor.cs | Adds ClientAssertionFactory to the authorization-code redemption request. |
| identity-model-oidc-client/src/IdentityModel.OidcClient/OidcClient.cs | Uses Array.Empty/materialization tweaks and adds ClientAssertionFactory to refresh-token requests; minor null-safety/logging change. |
| identity-model-oidc-client/src/IdentityModel.OidcClient/IdentityModel.OidcClient.csproj | Switches dependency from PackageReference to ProjectReference for IdentityModel. |
| identity-model-oidc-client/src/IdentityModel.OidcClient/AuthorizeClient.cs | Adds ClientAssertionFactory to pushed authorization request. |
| identity-model-oidc-client/src/IdentityModel.OidcClient.Extensions/DPoP/ProofTokenMessageHandler.cs | Regenerates client assertions on nonce retry by invoking a factory stored in HttpRequestMessage.Options. |
| identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/Program.cs | Updates sample to use DPoP plus a ClientAssertionFactory to ensure fresh assertions on retries. |
| identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/NetCoreConsoleClient.csproj | Enables implicit usings/nullable and updates dependencies to support new sample functionality. |
| identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/ClientAssertionService.cs | Adds helper to create private_key_jwt client assertions with fresh jti/iat per invocation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
...y-model-oidc-client/src/IdentityModel.OidcClient.Extensions/DPoP/ProofTokenMessageHandler.cs
Show resolved
Hide resolved
identity-model-oidc-client/src/IdentityModel.OidcClient/AuthorizeClient.cs
Show resolved
Hide resolved
identity-model-oidc-client/src/IdentityModel.OidcClient/OidcClient.cs
Outdated
Show resolved
Hide resolved
identity-model-oidc-client/src/IdentityModel.OidcClient/IdentityModel.OidcClient.csproj
Outdated
Show resolved
Hide resolved
...idc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/NetCoreConsoleClient.csproj
Outdated
Show resolved
Hide resolved
identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/Program.cs
Show resolved
Hide resolved
identity-model-oidc-client/samples/NetCoreConsoleClient/src/NetCoreConsoleClient/Program.cs
Show resolved
Hide resolved
identity-model-oidc-client/src/IdentityModel.OidcClient/ResponseProcessor.cs
Show resolved
Hide resolved
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-oidc-client
branch
from
2931129 to
e46c3f6
Compare
Erwinvandervalk
added
the
area/foss/im-oidc-client
…cClient. Wire client assertion creator into OIDC code exchange flow. Update DPoP ProofTokenMessageHandler to regenerate assertions on retry. Add ClientAssertionService to NetCoreConsoleClient sample. Expand DPoP test coverage for client assertion scenarios. wip cleanup
Erwinvandervalk
force-pushed
the
fix/dpop-client-assertion-oidc-client
branch
from
e46c3f6 to
d233a68
Compare
pgermishuys
approved these changes
Mar 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Part 2 of 3 — split from #329. Stacked on #343.
OidcClientandResponseProcessorProofTokenMessageHandlerto regenerate assertions on nonce retryClientAssertionServicetoNetCoreConsoleClientsample