Ticket #874 : Add multiple algorithms to check the client secret

Author: habarthierry-hue

src/IdServer/SimpleIdServer.IdServer.Domains/ClientSecret.cs

@@ -0,0 +1,34 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using System.Security.Cryptography;
+using System.Text;
+
+namespace SimpleIdServer.IdServer.Domains;
+
+public class ClientSecret
+{
+    private string _value;
+
+    public ClientSecret(string value)
+    {
+        _value = value;    
+    }
+
+    public string Sha256()
+    {
+        using (var sha256 = SHA256.Create())
+        {
+            var hashPayload = sha256.ComputeHash(Encoding.UTF8.GetBytes(_value));
+            return Convert.ToBase64String(hashPayload);
+        }
+    }
+
+    public string Sha512()
+    {
+        using (var sha512 = SHA512.Create())
+        {
+            var hashPayload = sha512.ComputeHash(Encoding.UTF8.GetBytes(_value));
+            return Convert.ToBase64String(hashPayload);
+        }
+    }
+}

src/IdServer/SimpleIdServer.IdServer.Migrations.Duende/DuendeMigrationService.cs

@@ -4,7 +4,9 @@
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.IdentityModel.Tokens;
+using SimpleIdServer.IdServer.Api.Authorization.ResponseTypes;
 using SimpleIdServer.IdServer.Api.Token.Handlers;
+using SimpleIdServer.IdServer.Authenticate.Handlers;
 using SimpleIdServer.IdServer.Config;
 using SimpleIdServer.IdServer.Domains;
 using SimpleIdServer.IdServer.Stores;
@@ -18,7 +20,7 @@
 namespace SimpleIdServer.IdServer.Migrations.Duende;
 
 public class DuendeMigrationService : IMigrationService
-{
+{    
     public string Name => Constants.Name;
     private readonly ConfigurationDbContext _configurationDbcontext;
     private readonly ApplicationDbContext _applicationDbcontext;
@@ -259,11 +261,13 @@ private static Client Map(DuendeClient client, List<Scope> scopes)
             IsConsentDisabled = !client.RequireConsent,
             Scopes = scopes,
             SerializedJsonWebKeys = ResolveSerializedJsonWebKeys(client),
-            ClientSecret = Guid.NewGuid().ToString(),
+            ClientSecret = ResolveClientSecret(client),
             CreateDateTime = client.Created,
             UpdateDateTime = client.Updated ?? client.Created,
             AuthorizationCodeExpirationInSeconds = client.AuthorizationCodeLifetime
         };
+        result.ResponseTypes = ResolveResponseTypes(result.ClientType);
+        result.TokenEndPointAuthMethod = result.ClientType == ClientTypes.MACHINE || result.ClientType == ClientTypes.WEBSITE ? OAuthClientSecretPostAuthenticationHandler.AUTH_METHOD : null;
         result.UpdateClientName(client.ClientName, IdServer.Constants.DefaultLanguage);
         result.UpdateClientUri(client.ClientUri, IdServer.Constants.DefaultLanguage);
         result.UpdateLogoUri(client.LogoUri, IdServer.Constants.DefaultLanguage);
@@ -277,7 +281,6 @@ private static Client Map(DuendeClient client, List<Scope> scopes)
         AllowAccessTokensViaBrowser
         Enabled
         ProtocolType
-        ClientSecrets 
         RequireClientSecret
         Description
         AllowRememberConsent
@@ -350,6 +353,18 @@ private static int ResolveDPOPNonceLifetimeInSeconds(DuendeClient client)
         return (int)client.DPoPClockSkew.TotalSeconds;
     }
 
+    private static string ResolveClientSecret(DuendeClient client)
+    {
+        const string clientSecretType = "SharedSecret";
+        var clientSecret = client.ClientSecrets.FirstOrDefault(s => s.Type == clientSecretType && s.Expiration == null);
+        if (clientSecret == null)
+        {
+            clientSecret = client.ClientSecrets.FirstOrDefault(s => s.Type == clientSecretType && s.Expiration != null && s.Expiration >= DateTime.UtcNow);
+        }
+
+        return clientSecret?.Value ?? Guid.NewGuid().ToString();
+    }
+
     private static UserClaim Map(IdentityUserClaim<string> userClaim)
     {
         return new UserClaim
@@ -445,6 +460,24 @@ private static ClientTypes ResolveClientType(DuendeClient client)
             return ClientTypes.SPA;
         }
 
+        if (!client.RequirePkce && grantTypes.Contains(AuthorizationCodeHandler.GRANT_TYPE))
+        {
+            return ClientTypes.WEBSITE;
+        }
+
         return ClientTypes.MACHINE;
     }
+
+    private static List<string> ResolveResponseTypes(ClientTypes? type)
+    {
+        if (type == null || type == ClientTypes.MACHINE)
+        {
+            return new List<string>();
+        }
+
+        return new List<string>
+        {
+            AuthorizationCodeResponseTypeHandler.RESPONSE_TYPE,
+        };
+    }
 }

src/IdServer/SimpleIdServer.IdServer.Website/Pages/Migrations/Migrations.razor

@@ -54,23 +54,30 @@
                 </RadzenDataGridColumn>
                 <RadzenDataGridColumn Title="@Global.Status" TItem="MigrationExecution" Filterable="false" Sortable="false"  TextAlign="TextAlign.Center">
                     <Template Context="data">
-                        <div style="display: flex;">
+                        <div style="display: flex; justify-content: center">
                             <ul class="stateDig">
-                                <li @onmouseenter="@( _ => ShowStep(extractedElements[data.Name], string.Format(Global.ExtractedScopes, data.TotalMigratedScopes)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.APISCOPES, MigrationExecutionHistoryTypes.IDENTITYSCOPES))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.APISCOPES, MigrationExecutionHistoryTypes.IDENTITYSCOPES))>
-                                    <div @ref=extractedElements[data.Name] class="title">@Global.Scopes</div>
-                                </li>
-                                <li @onmouseenter="@( _ => ShowStep(extractedElements[data.Name], string.Format(Global.ExtractedApiResources, data.TotalMigratedApiResources)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.APIRESOURCES))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.APIRESOURCES))>
-                                    <div class="title">@Global.ApiResources</div>
-                                </li>
-                                <li @onmouseenter="@( _ => ShowStep(extractedElements[data.Name], string.Format(Global.ExtractedClients, data.TotalMigratedApiResources)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.CLIENTS))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.CLIENTS))>
-                                    <div class="title">@Global.Clients</div>
-                                </li>
-                                <li @onmouseenter="@( _ => ShowStep(extractedElements[data.Name], string.Format(Global.ExtractedGroups, data.TotalMigratedGroups)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.GROUPS))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.GROUPS))>
-                                    <div class="title">@Global.Groups</div>
-                                </li>
-                                <li @onmouseenter="@( _ => ShowStep(extractedElements[data.Name], string.Format(Global.ExtractedUsers, data.TotalMigratedUsers)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.USERS))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.USERS))>
-                                    <div class="title">@Global.Users</div>
-                                </li>
+                                @{
+                                    var scopesName = data.Name + "_scopes";
+                                    <li @onmouseenter="@( _ => ShowStep(extractedElements[scopesName], string.Format(Global.ExtractedScopes, data.TotalMigratedScopes)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.APISCOPES, MigrationExecutionHistoryTypes.IDENTITYSCOPES))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.APISCOPES, MigrationExecutionHistoryTypes.IDENTITYSCOPES))>
+                                        <div @ref=extractedElements[scopesName] class="title">@Global.Scopes</div>
+                                    </li>
+                                    var apiResourcesName = data.Name + "_apiresources";
+                                    <li @onmouseenter="@( _ => ShowStep(extractedElements[apiResourcesName], string.Format(Global.ExtractedApiResources, data.TotalMigratedApiResources)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.APIRESOURCES))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.APIRESOURCES))>
+                                        <div @ref=extractedElements[apiResourcesName] class="title">@Global.ApiResources</div>
+                                    </li>
+                                    var clientsName = data.Name + "_clients";
+                                    <li @onmouseenter="@( _ => ShowStep(extractedElements[clientsName], string.Format(Global.ExtractedClients, data.TotalMigratedClients)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.CLIENTS))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.CLIENTS))>
+                                        <div @ref=extractedElements[clientsName] class="title">@Global.Clients</div>
+                                    </li>
+                                    var groupsName = data.Name + "_groups";
+                                    <li @onmouseenter="@( _ => ShowStep(extractedElements[groupsName], string.Format(Global.ExtractedGroups, data.TotalMigratedGroups)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.GROUPS))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.GROUPS))>
+                                        <div @ref=extractedElements[groupsName] class="title">@Global.Groups</div>
+                                    </li>
+                                    var usersName = data.Name + "_users";
+                                    <li @onmouseenter="@( _ => ShowStep(extractedElements[usersName], string.Format(Global.ExtractedUsers, data.TotalMigratedUsers)) )" @onclick="(_ => ShowError(data, MigrationExecutionHistoryTypes.USERS))" class=@(GetNodeClassName(data, MigrationExecutionHistoryTypes.USERS))>
+                                        <div @ref=extractedElements[usersName] class="title">@Global.Users</div>
+                                    </li>
+                                }
                             </ul>
                         </div>
                     </Template>

src/IdServer/SimpleIdServer.IdServer.Website/wwwroot/css/stateDig.css

@@ -49,3 +49,8 @@
     margin: auto;
     width: 20px;
 }
+
+.stateDig > li.node:last-child::after {
+    content: none;
+    border: none;
+}

src/IdServer/SimpleIdServer.IdServer/Authenticate/Handlers/OAuthClientSecretBasicAuthenticationHandler.cs

@@ -1,26 +1,34 @@
 // Copyright (c) SimpleIdServer. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using SimpleIdServer.IdServer.Authenticate.Validations;
 using SimpleIdServer.IdServer.Domains;
 using System;
 using System.Threading;
 using System.Threading.Tasks;
 
-namespace SimpleIdServer.IdServer.Authenticate.Handlers
+namespace SimpleIdServer.IdServer.Authenticate.Handlers;
+
+public class OAuthClientSecretBasicAuthenticationHandler : IOAuthClientAuthenticationHandler
 {
-    public class OAuthClientSecretBasicAuthenticationHandler : IOAuthClientAuthenticationHandler
+    private readonly IClientSecretValidator _clientSecretValidator;
+
+    public OAuthClientSecretBasicAuthenticationHandler(IClientSecretValidator clientSecretValidator) 
     {
-        public OAuthClientSecretBasicAuthenticationHandler() { }
+        _clientSecretValidator = clientSecretValidator;
+    }
 
-        public string AuthMethod => AUTH_METHOD;
-        public const string AUTH_METHOD = "client_secret_basic";
+    public string AuthMethod => AUTH_METHOD;
+    public const string AUTH_METHOD = "client_secret_basic";
 
-        public Task<bool> Handle(AuthenticateInstruction authenticateInstruction, Client client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT)
+    public Task<bool> Handle(AuthenticateInstruction authenticateInstruction, Client client, string expectedIssuer, CancellationToken cancellationToken, string errorCode = ErrorCodes.INVALID_CLIENT)
+    {
+        if (authenticateInstruction == null) throw new ArgumentNullException(nameof(authenticateInstruction));
+        if (client == null) throw new ArgumentNullException(nameof(client));
+        if (string.IsNullOrWhiteSpace(client.ClientSecret))
         {
-            if (authenticateInstruction == null) throw new ArgumentNullException(nameof(authenticateInstruction));
-            if (client == null) throw new ArgumentNullException(nameof(client));
-            if (string.IsNullOrWhiteSpace(client.ClientSecret)) return Task.FromResult(false);
-            var result = string.Compare(client.ClientSecret, authenticateInstruction.ClientSecretFromAuthorizationHeader, StringComparison.CurrentCultureIgnoreCase) == 0;
-            return Task.FromResult(result);
+            return Task.FromResult(false);
         }
+
+        return Task.FromResult(_clientSecretValidator.IsValid(client, authenticateInstruction.ClientSecretFromAuthorizationHeader));
     }
 }

src/IdServer/SimpleIdServer.IdServer/Authenticate/Handlers/OAuthClientSecretPostAuthenticationHandler.cs

@@ -1,5 +1,6 @@
 // Copyright (c) SimpleIdServer. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using SimpleIdServer.IdServer.Authenticate.Validations;
 using SimpleIdServer.IdServer.Domains;
 using System;
 using System.Threading;
@@ -9,7 +10,12 @@ namespace SimpleIdServer.IdServer.Authenticate.Handlers
 {
     public class OAuthClientSecretPostAuthenticationHandler : IOAuthClientAuthenticationHandler
     {
-        public OAuthClientSecretPostAuthenticationHandler() { }
+        private readonly IClientSecretValidator _clientSecretValidator;
+
+        public OAuthClientSecretPostAuthenticationHandler(IClientSecretValidator clientSecretValidator) 
+        {
+            _clientSecretValidator = clientSecretValidator;
+        }
 
         public string AuthMethod => AUTH_METHOD;
         public const string AUTH_METHOD = "client_secret_post";
@@ -18,9 +24,12 @@ public Task<bool> Handle(AuthenticateInstruction authenticateInstruction, Client
         {
             if (authenticateInstruction == null) throw new ArgumentNullException(nameof(authenticateInstruction));
             if (client == null) throw new ArgumentNullException(nameof(client));
-            if (string.IsNullOrWhiteSpace(client.ClientSecret)) return Task.FromResult(false);
-            var result = string.Compare(client.ClientSecret, authenticateInstruction.ClientSecretFromHttpRequestBody, StringComparison.CurrentCultureIgnoreCase) == 0;
-            return Task.FromResult(result);
+            if (string.IsNullOrWhiteSpace(client.ClientSecret))
+            {
+                return Task.FromResult(false);
+            }
+
+            return Task.FromResult(_clientSecretValidator.IsValid(client, authenticateInstruction.ClientSecretFromHttpRequestBody));
         }
     }
 }

src/IdServer/SimpleIdServer.IdServer/Authenticate/Validations/ClientSecretValidator.cs

@@ -0,0 +1,40 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+using SimpleIdServer.IdServer.Domains;
+using System.Collections.Generic;
+
+namespace SimpleIdServer.IdServer.Authenticate.Validations;
+
+public interface IClientSecretValidator
+{
+    bool IsValid(Client client, string clientSecret);
+}
+
+public class ClientSecretValidator : IClientSecretValidator
+{
+    private readonly IEnumerable<IAlgClientSecretValidator> _validators;
+
+    public ClientSecretValidator(IEnumerable<IAlgClientSecretValidator> validators)
+    {
+        _validators = validators;
+    }
+
+    public bool IsValid(Client client, string clientSecret)
+    {
+        if(string.IsNullOrWhiteSpace(clientSecret))
+        {
+            return false;
+        }
+
+        foreach (var validator in _validators)
+        {
+            if (validator.IsValid(client, clientSecret))
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

src/IdServer/SimpleIdServer.IdServer/Authenticate/Validations/IAlgClientSecretValidator.cs

@@ -0,0 +1,10 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using SimpleIdServer.IdServer.Domains;
+
+namespace SimpleIdServer.IdServer.Authenticate.Validations;
+
+public interface IAlgClientSecretValidator
+{
+    bool IsValid(Client client, string clientSecret);
+}

src/IdServer/SimpleIdServer.IdServer/Authenticate/Validations/PlainTextClientSecretValidator.cs

@@ -0,0 +1,14 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using SimpleIdServer.IdServer.Domains;
+using System;
+
+namespace SimpleIdServer.IdServer.Authenticate.Validations;
+
+public class PlainTextClientSecretValidator : IAlgClientSecretValidator
+{
+    public bool IsValid(Client client, string clientSecret)
+    {
+        return string.Compare(client.ClientSecret, clientSecret, StringComparison.CurrentCultureIgnoreCase) == 0;
+    }
+}

src/IdServer/SimpleIdServer.IdServer/Authenticate/Validations/Sha256ClientSecretValidator.cs

@@ -0,0 +1,13 @@
+// Copyright (c) SimpleIdServer. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+using SimpleIdServer.IdServer.Domains;
+
+namespace SimpleIdServer.IdServer.Authenticate.Validations;
+
+public class Sha256ClientSecretValidator : IAlgClientSecretValidator
+{
+    public bool IsValid(Client client, string clientSecret)
+    {
+        return new ClientSecret(clientSecret).Sha256() == client.ClientSecret;
+    }
+}