Merge pull request #1213 from DuendeSoftware/brock/proofs-cleanup

small DPoP proof cleanup
DuendeSoftware · Mar 17, 2023 · 695381e · 695381e
2 parents 7f47940 + 2ab917a
commit 695381e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 19 deletions.
diff --git a/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs b/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs
@@ -228,12 +228,6 @@ protected virtual async Task<TokenResponse> ProcessRefreshTokenRequestAsync(Toke
             accessToken.CreationTime = Clock.UtcNow.UtcDateTime;
             accessToken.Lifetime = request.ValidatedRequest.AccessTokenLifetime;
 
-            // update legacy data record with proof type
-            if (request.ValidatedRequest.RefreshToken.ProofType == null)
-            {
-                request.ValidatedRequest.RefreshToken.ProofType = request.ValidatedRequest.ProofType;
-                mustUpdate = true; // to update the DB below
-            }
             // always take the current request confirmation values (this would be because the proof token changed from last time)
             if (request.ValidatedRequest.Confirmation.IsPresent() && accessToken.Confirmation != request.ValidatedRequest.Confirmation)
             {

diff --git a/src/IdentityServer/Validation/Default/TokenRequestValidator.cs b/src/IdentityServer/Validation/Default/TokenRequestValidator.cs
@@ -676,12 +676,13 @@ private async Task<TokenRequestValidationResult> ValidateRefreshTokenRequestAsyn
         // proof of possession
         //////////////////////////////////////////////////////////
         var priorProofType = result.RefreshToken.ProofType ?? ProofType.None;
+        ProofKeyThumbprint[] proofs = null;
 
         // legacy record check (pre-6.3 before ProofType was added to the RefreshToken)
         if (result.RefreshToken.ProofType == null && result.RefreshToken.ContainsCnfValues())
         {
             // we need to extract the certificate / confirmation data from the tokens
-            var proofs = result.RefreshToken.GetProofKeyThumbprints();
+            proofs ??= result.RefreshToken.GetProofKeyThumbprints();
             if (proofs.Any())
             {
                 // many different access tokens using diff pop mechanisms. the assumption is that they are all the same
@@ -727,20 +728,22 @@ private async Task<TokenRequestValidationResult> ValidateRefreshTokenRequestAsyn
         // confidential clients are allowed to pass a new DPoP proof
         if (priorProofType != ProofType.None && !_validatedRequest.Client.RequireClientSecret)
         {
-            var proofs = result.RefreshToken.GetProofKeyThumbprints();
-
-            var thumbprint = proofs.First().Thumbprint;
-            if (_validatedRequest.ProofKeyThumbprint != thumbprint)
+            proofs ??= result.RefreshToken.GetProofKeyThumbprints();
+            if (proofs.Any())
             {
-                if (_validatedRequest.ProofType == ProofType.ClientCertificate)
-                {
-                    LogError("The client certificate in the refresh token request does not match the original used.");
-                    return Invalid(OidcConstants.TokenErrors.InvalidRequest, "The client certificate in the refresh token request does not match the original used.");
-                }
-                if (_validatedRequest.ProofType == ProofType.DPoP)
+                var thumbprint = proofs.First().Thumbprint;
+                if (_validatedRequest.ProofKeyThumbprint != thumbprint)
                 {
-                    LogError("The DPoP proof token in the refresh token request does not match the original used.");
-                    return Invalid(OidcConstants.TokenErrors.InvalidDPoPProof, "The DPoP proof token in the refresh token request does not match the original used.");
+                    if (_validatedRequest.ProofType == ProofType.ClientCertificate)
+                    {
+                        LogError("The client certificate in the refresh token request does not match the original used.");
+                        return Invalid(OidcConstants.TokenErrors.InvalidRequest, "The client certificate in the refresh token request does not match the original used.");
+                    }
+                    if (_validatedRequest.ProofType == ProofType.DPoP)
+                    {
+                        LogError("The DPoP proof token in the refresh token request does not match the original used.");
+                        return Invalid(OidcConstants.TokenErrors.InvalidDPoPProof, "The DPoP proof token in the refresh token request does not match the original used.");
+                    }
                 }
             }
         }