Client can have one or more secret

Author: habarthierry-hue

src/IdServer/SimpleIdServer.IdServer.Domains/Client.cs

@@ -24,6 +24,8 @@ public class Client : ITranslatable, IEquatable<Client>
     {
         [JsonPropertyName(OAuthClientParameters.Id)]
         public string Id { get; set; }
+        public string ClientSecret { get; set; } = null!;
+        public DateTime? ClientSecretExpirationTime { get; set; }
         [JsonPropertyName(OAuthClientParameters.Source)]
         public string? Source { get; set; }
         [JsonPropertyName(OAuthClientParameters.IsPublic)]
@@ -34,10 +36,10 @@ public class Client : ITranslatable, IEquatable<Client>
         [JsonPropertyName(OAuthClientParameters.ClientId)]
         public string ClientId { get; set; } = null!;
         /// <summary>
-        /// Client secret.
+        /// Client secrets.
         /// </summary>
-        [JsonPropertyName(OAuthClientParameters.ClientSecret)]
-        public string ClientSecret { get; set; } = null!;
+        [JsonPropertyName(OAuthClientParameters.ClientSecrets)]
+        public List<ClientSecret> Secrets { get; set; } = new List<ClientSecret>();
         /// <summary>
         /// String containing the access token to be used at the client configuration endpoint to perform subsequent operations upon the client registration.
         /// </summary>
@@ -178,12 +180,6 @@ public string? PolicyUri
         [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
         public string? TlsClientAuthSanEmail { get; set; } = null;
         /// <summary>
-        /// Client secret expiration time.
-        /// </summary>
-        [JsonPropertyName(OAuthClientParameters.ClientSecretExpiresAt)]
-        [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)]
-        public DateTime? ClientSecretExpirationTime { get; set; }
-        /// <summary>
         /// Update date time.
         /// </summary>
         [JsonPropertyName(OAuthClientParameters.UpdateDateTime)]
@@ -615,6 +611,14 @@ public JsonObject Parameters
         [JsonIgnore]
         public ICollection<DeviceAuthCode> DeviceAuthCodes { get; set; } = new List<DeviceAuthCode>();
 
+        public ClientSecret PlainSecret
+        {
+            get
+            {
+                return Secrets.SingleOrDefault(s => s.Alg == HashAlgs.PLAINTEXT && !s.IsExpired);
+            }
+        }
+
         public double? GetDoubleParameter(string name)
         {
             if (!Parameters.ContainsKey(name)) return null;
@@ -634,6 +638,20 @@ public void Add(string keyId, JsonWebKey jsonWebKey, string usage, SecurityKeyTy
             });
         }
 
+        public void Add(ClientSecret secret)
+        {
+            if(secret.Alg == HashAlgs.PLAINTEXT)
+            {
+                var otherSecrets = Secrets.Where(s => s.Alg == HashAlgs.PLAINTEXT).ToList();
+                foreach(var otherSecret in otherSecrets)
+                {
+                    otherSecret.IsActive = false;
+                }
+            }
+
+            Secrets.Add(secret);
+        }
+
         public string GetStringParameter(string name) => Parameters[name].ToString();
 
         public void UpdateClientName(string clientName)

src/IdServer/SimpleIdServer.IdServer.Domains/ClientSecret.cs

@@ -7,28 +7,128 @@ namespace SimpleIdServer.IdServer.Domains;
 
 public class ClientSecret
 {
-    private string _value;
+    private static Dictionary<HashAlgs, int> _mappingAlgToSize = new Dictionary<HashAlgs, int>
+    {
+        { HashAlgs.MD5, MD5.HashSizeInBytes },
+        { HashAlgs.SHA1, SHA1.HashSizeInBytes },
+        { HashAlgs.SHA256, SHA256.HashSizeInBytes },
+        { HashAlgs.SHA384, SHA384.HashSizeInBytes },
+        { HashAlgs.SHA512, SHA512.HashSizeInBytes }
+    };
+
+    private static (HashAlgs Alg, Func<string, string> HashFunc)[] _hashAlgs = new (HashAlgs Alg, Func<string, string> HashFunc)[]
+    {
+        (HashAlgs.SHA1, (string pwd) => Convert.ToBase64String(SHA1.Create().ComputeHash(Encoding.UTF8.GetBytes(pwd)))),
+        (HashAlgs.SHA256, (string pwd) => Convert.ToBase64String(SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes(pwd)))),
+        (HashAlgs.SHA384, (string pwd) => Convert.ToBase64String(SHA384.Create().ComputeHash(Encoding.UTF8.GetBytes(pwd)))),
+        (HashAlgs.SHA512, (string pwd) => Convert.ToBase64String(SHA512.Create().ComputeHash(Encoding.UTF8.GetBytes(pwd)))),
+        (HashAlgs.MD5, (string pwd) => Convert.ToBase64String(MD5.Create().ComputeHash(Encoding.UTF8.GetBytes(pwd)))),
+        (HashAlgs.PLAINTEXT, (string pwd) => pwd)
+    };
+
+    public string Id
+    {
+        get; set;
+    }
+
+    public string Value
+    {
+        get; set;
+    }
+
+    public HashAlgs Alg
+    {
+        get; set;
+    }
+
+    public DateTime? ExpirationDateTime
+    {
+        get; set;
+    }
+
+    public DateTime CreateDateTime
+    {
+        get; set;
+    }
 
-    public ClientSecret(string value)
+    public bool IsActive
     {
-        _value = value;    
+        get; set;
+    } = true;
+
+    public bool IsExpired
+    {
+        get
+        {
+            if (ExpirationDateTime.HasValue == false) return false;
+            return ExpirationDateTime.Value < DateTime.UtcNow && IsActive;
+        }
     }
 
-    public string Sha256()
+    public static ClientSecret Create(string pwd, HashAlgs alg, DateTime? expirationTime = null)
     {
-        using (var sha256 = SHA256.Create())
+        var hashedPwd = _hashAlgs.Single((a) => a.Alg == alg).HashFunc(pwd);
+        return new ClientSecret
         {
-            var hashPayload = sha256.ComputeHash(Encoding.UTF8.GetBytes(_value));
-            return Convert.ToBase64String(hashPayload);
+            Id = Guid.NewGuid().ToString(),
+            Alg = alg,
+            Value = hashedPwd,
+            CreateDateTime = DateTime.UtcNow,
+            IsActive = true,
+            ExpirationDateTime = expirationTime
+        };
+    }
+    
+    public static ClientSecret Resolve(string str)
+    {
+        var alg = HashAlgs.PLAINTEXT;
+        if (TryDecodeBase64(str, out byte[] payload))
+        {
+            var size = payload.Length;
+            if (_mappingAlgToSize.ContainsValue(size))
+            {
+                alg = _mappingAlgToSize.Single(kvp => kvp.Value == size).Key;
+            }
+
         }
+
+        return new ClientSecret
+        {
+            Id = Guid.NewGuid().ToString(),
+            Alg = alg,
+            Value = str,
+            CreateDateTime = DateTime.UtcNow
+        };
     }
 
-    public string Sha512()
+    public static bool TryDecodeBase64(string s, out byte[] result)
     {
-        using (var sha512 = SHA512.Create())
+        if (s.Length % 4 != 0)
         {
-            var hashPayload = sha512.ComputeHash(Encoding.UTF8.GetBytes(_value));
-            return Convert.ToBase64String(hashPayload);
+            result = null;
+            return false;
+        }
+
+        try
+        {
+            result = Convert.FromBase64String(s);
+            return true;
+        }
+        catch (FormatException)
+        {
+            result = null;
+            return false;
         }
     }
 }
+
+
+public enum HashAlgs
+{
+    PLAINTEXT = 0,
+    MD5 = 1,
+    SHA1 = 2,
+    SHA256 = 3,
+    SHA384 = 4,
+    SHA512 = 5
+}

src/IdServer/SimpleIdServer.IdServer.Domains/DTOs/ClientSecretNames.cs

@@ -0,0 +1,13 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using System.Diagnostics.Contracts;
+
+namespace SimpleIdServer.IdServer.Domains.DTOs;
+
+public class ClientSecretNames
+{
+    public const string Alg = "alg";
+    public const string Value = "value";
+    public const string Id = "id";
+}

src/IdServer/SimpleIdServer.IdServer.Domains/DTOs/OAuthClientParameters.cs

@@ -8,9 +8,8 @@ public class OAuthClientParameters
         public const string IsPublic = "is_public";
         public const string ClientId = "client_id";
         public const string ClientType = "client_type";
-        public const string ClientSecret = "client_secret";
+        public const string ClientSecrets = "client_secrets";
         public const string ClientIdIssuedAt = "client_id_issued_at";
-        public const string ClientSecretExpiresAt = "client_secret_expires_at";
         public const string RegistrationAccessToken = "registration_access_token";
         public const string GrantTypes = "grant_types";
         public const string RedirectUris = "redirect_uris";

src/IdServer/SimpleIdServer.IdServer.Federation/ClientRegistrationService.cs

@@ -166,7 +166,10 @@ private async Task<Client> AddClient(string realm, (Client, OpenidTrustChain) re
         };
         newClient.Scopes = await _scopeRepository.GetByNames(realm, newClient.Scopes.Select(s => s.Name).ToList(), cancellationToken);
         newClient.ClientType = ClientTypes.FEDERATION;
-        newClient.ClientSecret = Guid.NewGuid().ToString();
+        newClient.Secrets = new List<ClientSecret>
+        {
+            ClientSecret.Create(Guid.NewGuid().ToString(), HashAlgs.PLAINTEXT)
+        };
         newClient.ExpirationDateTime = trustChain.ExpirationDateTime;
         newClient.UpdateDateTime = DateTime.UtcNow;
         newClient.CreateDateTime = DateTime.UtcNow;

src/IdServer/SimpleIdServer.IdServer.IntegrationEvents/ClientCredentialUpdatedFailureEvent.cs

@@ -8,7 +8,6 @@ public class ClientCredentialUpdatedFailureEvent : IIntegrationEvent
     public string Realm { get; set; }
     public string ClientId { get; set; }
     public string TokenEndpointAuthMethod { get; set; }
-    public string ClientSecret { get; set; }
     public string TlsClientAuthSubjectDN { get; set; }
     public string TlsClientAuthSanDNS { get; set; }
     public string TlsClientAuthSanEmail { get; set; }

src/IdServer/SimpleIdServer.IdServer.IntegrationEvents/ClientCredentialUpdatedSuccessEvent.cs

@@ -7,7 +7,6 @@ public class ClientCredentialUpdatedSuccessEvent : IIntegrationEvent
     public string Realm { get; set; }
     public string ClientId { get; set; }
     public string TokenEndpointAuthMethod { get; set; }
-    public string ClientSecret { get; set; }
     public string TlsClientAuthSubjectDN { get; set; }
     public string TlsClientAuthSanDNS { get; set; }
     public string TlsClientAuthSanEmail { get; set; }

src/IdServer/SimpleIdServer.IdServer.Migrations.Duende/DuendeMigrationService.cs

@@ -261,7 +261,7 @@ private static Client Map(DuendeClient client, List<Scope> scopes)
             IsConsentDisabled = !client.RequireConsent,
             Scopes = scopes,
             SerializedJsonWebKeys = ResolveSerializedJsonWebKeys(client),
-            ClientSecret = ResolveClientSecret(client),
+            Secrets = ResolveClientSecrets(client),
             CreateDateTime = client.Created,
             UpdateDateTime = client.Updated ?? client.Created,
             AuthorizationCodeExpirationInSeconds = client.AuthorizationCodeLifetime,
@@ -354,16 +354,17 @@ private static int ResolveDPOPNonceLifetimeInSeconds(DuendeClient client)
         return (int)client.DPoPClockSkew.TotalSeconds;
     }
 
-    private static string ResolveClientSecret(DuendeClient client)
+    private static List<ClientSecret> ResolveClientSecrets(DuendeClient client)
     {
         const string clientSecretType = "SharedSecret";
-        var clientSecret = client.ClientSecrets.FirstOrDefault(s => s.Type == clientSecretType && s.Expiration == null);
-        if (clientSecret == null)
+        var clientSecrets = client.ClientSecrets.Where(s => s.Type == clientSecretType);
+        return clientSecrets.Select(s =>
         {
-            clientSecret = client.ClientSecrets.FirstOrDefault(s => s.Type == clientSecretType && s.Expiration != null && s.Expiration >= DateTime.UtcNow);
-        }
-
-        return clientSecret?.Value ?? Guid.NewGuid().ToString();
+            var result = ClientSecret.Resolve(s.Value);
+            result.ExpirationDateTime = s.Expiration;
+            result.CreateDateTime = s.Created;
+            return result;
+        }).ToList();
     }
 
     private static UserClaim Map(IdentityUserClaim<string> userClaim)

src/IdServer/SimpleIdServer.IdServer.Saml.Idp/Builders/SamlSpClientBuilder.cs

@@ -23,11 +23,14 @@ public static SamlSpClientBuilder BuildSamlSpClient(string clientId, string meta
         var client = new Client
         {
             Id = Guid.NewGuid().ToString(),
-            ClientSecret = Guid.NewGuid().ToString(),
             ClientId = clientId,
             ClientType = ClientTypes.SAML,
             CreateDateTime = DateTime.UtcNow,
-            UpdateDateTime = DateTime.UtcNow
+            UpdateDateTime = DateTime.UtcNow,
+            Secrets = new List<ClientSecret>
+            {
+                ClientSecret.Create(Guid.NewGuid().ToString(), HashAlgs.PLAINTEXT)
+            }
         };
         if (realm == null) client.Realms.Add(Config.DefaultRealms.Master);
         else client.Realms.Add(realm);

src/IdServer/SimpleIdServer.IdServer.Startup/Program.cs

@@ -1,23 +1,16 @@
 // Copyright (c) SimpleIdServer. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
-using SimpleIdServer.IdServer.Domains;
 using SimpleIdServer.IdServer.Startup;
 using SimpleIdServer.IdServer.Startup.Conf;
+using System;
 
 
-var hashedPwd = "AQAAAAIAAYagAAAAEJwcFDmZdWMYEMLLTWiEfYvLsAUFtsMPR3/JMKIE9Zh4o76Wl2020g4stjHqv05zwg==";
-var pp = "Pass123$";
-var hasher = new PasswordHasher<User>();
-var b = hasher.VerifyHashedPassword(new User(), hashedPwd, pp);
-if(b == PasswordVerificationResult.Success)
-{
-
-}
+var hashedPwd = "o90IbCACXKUkunXoa18cODcLKnQTbjOo5ihEw9j58+8=";
+var s = Convert.FromBase64String(hashedPwd);
 
 var webApplicationBuilder = WebApplication.CreateBuilder(args);
 webApplicationBuilder.Services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin()