Skip to content

Regenerate Client Assertions on DPoP nonce retry in AccessTokenManagement#345

Merged
Erwinvandervalk merged 3 commits intomainfrom
fix/dpop-client-assertion-access-token-mgmt
Mar 17, 2026
Merged

Regenerate Client Assertions on DPoP nonce retry in AccessTokenManagement#345
Erwinvandervalk merged 3 commits intomainfrom
fix/dpop-client-assertion-access-token-mgmt

Conversation

@Erwinvandervalk
Copy link
Contributor

@Erwinvandervalk Erwinvandervalk commented Mar 16, 2026
edited
Loading

Summary

Part 3 of 3 — split from #329. Stacked on #344.

  • Regenerate client assertions in AuthorizationServerDPoPHandler on DPoP nonce retry
  • Wire assertion creators into ClientCredentialsTokenClient and ConfigureOpenIdConnectOptions
  • Add OpenIdConnectUserTokenEndpoint for user token assertion support
  • Add WebClientAssertions sample project with full UI
  • Add DPoPWithClientAssertionsTests and UserTokenManagementWithDPoPTests
  • Update foss.slnx with new sample projects

This was referenced Mar 16, 2026
Closed
Closed
@Erwinvandervalk Erwinvandervalk force-pushed the fix/dpop-client-assertion-oidc-client branch from 6dde893 to a5a4de2 Compare March 16, 2026 06:40
@Erwinvandervalk Erwinvandervalk force-pushed the fix/dpop-client-assertion-access-token-mgmt branch from 85ab6c0 to 6c31ad1 Compare March 16, 2026 06:40
@Erwinvandervalk Erwinvandervalk force-pushed the fix/dpop-client-assertion-oidc-client branch 3 times, most recently from 2931129 to e46c3f6 Compare March 16, 2026 15:09
@Erwinvandervalk Erwinvandervalk force-pushed the fix/dpop-client-assertion-access-token-mgmt branch 2 times, most recently from 233f0ff to b2826b8 Compare March 16, 2026 15:23
@Erwinvandervalk Erwinvandervalk changed the title Fix stale ClientAssertion on DPoP nonce retry - AccessTokenManagement Regenerate Client Assertions on DPoP nonce retry in AccessTokenManagement Mar 17, 2026
@Erwinvandervalk Erwinvandervalk self-assigned this Mar 17, 2026
@Erwinvandervalk Erwinvandervalk added the area/foss/atm Issues related to Access Token Management label Mar 17, 2026
@Erwinvandervalk Erwinvandervalk changed the base branch from fix/dpop-client-assertion-oidc-client to main March 17, 2026 06:24
@Erwinvandervalk
Fix stale ClientAssertion on DPoP nonce retry - AccessTokenManagement…
35c2d2a 
… changes

Regenerate client assertions in AuthorizationServerDPoPHandler on nonce retry.
Wire assertion creators into ClientCredentialsTokenClient and OIDC options.
Add OpenIdConnectUserTokenEndpoint for user token assertion support.
Add WebClientAssertions sample, DPoP+assertion tests, and update foss.slnx.
@Erwinvandervalk Erwinvandervalk force-pushed the fix/dpop-client-assertion-access-token-mgmt branch from 5536afd to e8cc39c Compare March 17, 2026 08:15
Copilot AI review requested due to automatic review settings March 17, 2026 08:15
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR (part 3/3 of the work split from #329 and stacked on #344) extends Duende.AccessTokenManagement to properly regenerate client assertions when a DPoP nonce challenge forces a retry, and wires assertion creation into additional OIDC flows (code exchange + PAR). It also adds integration tests and a new MVC sample demonstrating DPoP + private_key_jwt client authentication.

Changes:

  • Regenerate client assertions on DPoP nonce retry for client credentials and user-token refresh flows.
  • Automatically apply client assertions during OIDC authorization-code exchange and PAR requests when an IClientAssertionService is registered.
  • Add new integration tests plus a new WebClientAssertions sample project, and include it in foss.slnx.

Reviewed changes

Copilot reviewed 34 out of 63 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
foss.slnx Adds the new WebClientAssertions sample project to the solution.
access-token-management/src/AccessTokenManagement/Internal/ClientCredentialsTokenClient.cs Regenerates the client assertion on DPoP nonce retry for client credentials flow.
access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/OpenIdConnectUserTokenEndpoint.cs Regenerates the client assertion on DPoP nonce retry during refresh-token flow (OIDC user tokens).
access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/ConfigureOpenIdConnectOptions.cs Wires client assertions into OIDC authorization-code exchange and PAR via event callbacks; fixes async callback awaiting.
access-token-management/src/AccessTokenManagement.OpenIdConnect/Internal/AuthorizationServerDPoPHandler.cs Adds client-assertion regeneration logic on DPoP nonce retry during authorization-code token exchange.
access-token-management/test/AccessTokenManagement.Tests/ClientTokenManagementTests.cs Adds a regression test ensuring fresh assertions across DPoP nonce retries for client credentials; minor cleanups.
access-token-management/test/AccessTokenManagement.Tests/UserTokenManagementWithDPoPTests.cs Adds integration tests validating fresh assertions on nonce retry for refresh and for code exchange.
access-token-management/test/AccessTokenManagement.Tests/UserTokenManagementTests.cs Removes manual OIDC event workaround and adds tests verifying automatic assertion handling + static assertion preference.
access-token-management/test/AccessTokenManagement.Tests/DPoPWithClientAssertionsTests.cs Adds integration coverage for DPoP + client assertions across user/code exchange, refresh, and client credentials.
access-token-management/test/AccessTokenManagement.Tests/PARWithClientAssertionsTests.cs Adds integration coverage for PAR with client assertions, including combined PAR + DPoP scenarios.
access-token-management/test/AccessTokenManagement.Tests/Framework/IntegrationTestBase.cs Extends integration harness with JWK-based client auth configuration and helper to build public JWK secrets.
access-token-management/test/AccessTokenManagement.Tests/Framework/IdentityServerHost.cs Enables optional PAR endpoint and captures PAR requests; enables JWT bearer client authentication for tests.
access-token-management/test/AccessTokenManagement.Tests/Framework/AppHost.cs Adds support for PAR behavior + automatically registering a JWT client assertion service for integration tests.
access-token-management/test/AccessTokenManagement.Tests/Framework/JwtClientAssertionService.cs Adds a test-only JWT client assertion service for generating signed assertions.
access-token-management/samples/WebClientAssertions/WebClientAssertions.csproj New MVC sample project demonstrating client assertions with OIDC + DPoP.
access-token-management/samples/WebClientAssertions/Program.cs Sample host bootstrapping + Serilog configuration.
access-token-management/samples/WebClientAssertions/Startup.cs Sample authentication/token management setup for OIDC + DPoP + client assertions; HTTP client registrations.
access-token-management/samples/WebClientAssertions/ClientAssertionService.cs Sample IClientAssertionService producing private_key_jwt assertions for demo clients.
access-token-management/samples/WebClientAssertions/Controllers/HomeController.cs Sample endpoints invoking APIs via user/client flows and rendering results.
access-token-management/samples/WebClientAssertions/TypedClient.cs Sample typed HTTP clients for user/client API calls.
access-token-management/samples/WebClientAssertions/Views/_ViewImports.cshtml Sample Razor view imports.
access-token-management/samples/WebClientAssertions/Views/_ViewStart.cshtml Sample Razor layout setup.
access-token-management/samples/WebClientAssertions/Views/Shared/_Layout.cshtml Sample shared layout referencing static assets.
access-token-management/samples/WebClientAssertions/Views/Home/Index.cshtml Sample home page explaining the scenario and linking to flows.
access-token-management/samples/WebClientAssertions/Views/Home/Secure.cshtml Sample secure page listing actions and displaying claims/properties.
access-token-management/samples/WebClientAssertions/Views/Home/CallApi.cshtml Sample view rendering API JSON response.
access-token-management/samples/WebClientAssertions/Properties/launchSettings.json Sample launch profile.
access-token-management/samples/WebClientAssertions/wwwroot/css/site.css Sample styling.
access-token-management/samples/WebClientAssertions/wwwroot/js/site.js Sample site JS scaffold.
access-token-management/samples/WebClientAssertions/wwwroot/favicon.ico Sample favicon.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery/LICENSE.txt Adds third-party license file for jQuery used by the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery-validation/LICENSE.md Adds third-party license file for jquery-validation used by the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery-validation/dist/jquery.validate.min.js Adds jquery-validation static asset for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery-validation/dist/additional-methods.min.js Adds jquery-validation additional methods static asset for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery-validation-unobtrusive/LICENSE.txt Adds third-party license file for jquery-validation-unobtrusive used by the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.js Adds jquery-validation-unobtrusive static asset for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/jquery-validation-unobtrusive/jquery.validate.unobtrusive.min.js Adds jquery-validation-unobtrusive minified static asset for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/bootstrap/LICENSE Adds third-party license file for Bootstrap used by the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/bootstrap/dist/css/bootstrap-reboot.css Adds Bootstrap static asset for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/bootstrap/dist/css/bootstrap-reboot.min.css Adds Bootstrap static asset for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/bootstrap/dist/css/bootstrap-reboot.min.css.map Adds Bootstrap sourcemap for the sample.
access-token-management/samples/WebClientAssertions/wwwroot/lib/bootstrap/dist/css/bootstrap-grid.min.css Adds Bootstrap static asset for the sample.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@Erwinvandervalk Erwinvandervalk force-pushed the fix/dpop-client-assertion-access-token-mgmt branch from e8cc39c to dac33a9 Compare March 17, 2026 08:25
@Erwinvandervalk Erwinvandervalk merged commit 06ed637 into main Mar 17, 2026
2 checks passed
@Erwinvandervalk Erwinvandervalk deleted the fix/dpop-client-assertion-access-token-mgmt branch March 17, 2026 11:45
@Erwinvandervalk Erwinvandervalk added this to the atm-4.2.0 milestone Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@josephdecock josephdecock josephdecock approved these changes

Assignees

@Erwinvandervalk Erwinvandervalk

Labels

area/foss/atm Issues related to Access Token Management

Projects

None yet

Milestone

atm-4.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@Erwinvandervalk @josephdecock