Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for PAR #1424

Merged
merged 64 commits into from
Oct 24, 2023
Merged

Add support for PAR #1424

merged 64 commits into from
Oct 24, 2023

Conversation

josephdecock
Copy link
Member

No description provided.

@josephdecock
Add PAR to discovery
79f94f6
@josephdecock
Add PAR options object model
1618e71
@josephdecock
PAR endpoint beginnings
cfe2a2d
@josephdecock
Serialize and deserialize parameters into PAR records
c33faf3
@josephdecock
Create client that uses PAR
8524d14
@josephdecock
Create PAR client
09424bb
@josephdecock
Correct PAR responses
bd6c35f
@josephdecock
PAR - validate expiration and binding to client
ac12b35
@josephdecock
PAR client options and cleanup
fa835dd
@josephdecock
Add PAR client to clients sln
afc56c0
@josephdecock
Merge branch 'main' into joe/par
c323b41
@josephdecock
Beginnings of test suite for PAR
b3283e1
@josephdecock
More PAR testing improvement
dbfaa95
@josephdecock
Improve PAR error handling
2142027
@josephdecock
Rename request uri property of validated requests
51ce2e3
@josephdecock
Merge branch 'joe/fluent-assertions-upgrade' into joe/par
dcdb279
@josephdecock
Add FluentAssertions.Web
674baad
@josephdecock
Misc PAR cleanup
d2cff91
@josephdecock
Support JAR + PAR
267e0a1
@josephdecock
hex encode reference values in PAR request uris
8dba504 
This makes the reference value case-insensitive, preventing
theoretical collation issues in data stores that are.
@josephdecock
Validate PAR required global and per-client flag
049c654
@josephdecock
Fix typo
3cdee17
@josephdecock
Merge branch 'main' into joe/par
5988500
@josephdecock
First cut of PAR EF store
7dc7707
@josephdecock
EF host and migrations for PAR
e18a5ec
@josephdecock josephdecock changed the title Joe/par Add support for PAR Sep 21, 2023
@josephdecock josephdecock added this to the 7.0.0 milestone Sep 21, 2023
@josephdecock josephdecock self-assigned this Sep 21, 2023
@josephdecock
Separate PAR and PAR+JAR clients
c844633
@josephdecock
Clean up TODOs
cb9518d
@josephdecock
Add PAR as valid aud in private key jwt
83cf53f 
To conform with https://datatracker.ietf.org/doc/html/rfc9126#name-request:

> the authorization server MUST accept its ... pushed authorization
> request endpoint URL ... as an intended audience.
@josephdecock
Cleanup stale PARs
7503dd8
@josephdecock josephdecock marked this pull request as ready for review October 18, 2023 16:43
@brockallen brockallen marked this pull request as draft October 20, 2023 12:17
@brockallen
Copy link
Member

Hey Joe -- mark this as ready again once you want one final review. Thx.

@josephdecock
Remove unused events service from PAR endpoint
66dab04
@josephdecock
Validate pushed parameters in par validator
51e91c0 
We now call the IAuthorizeRequestValidator from the default PAR
validator. This simplifies the endpoint, and also allows for a
customization of the par validator to control validation of the pushed
parameters.
@josephdecock
Clean up copyright headers
17bb5b8
@josephdecock
Fix a typo
4d8db9c
josephdecock
josephdecock commented Oct 20, 2023
View reviewed changes
src/IdentityServer/Extensions/ValidatedAuthorizeRequestExtensions.cs Outdated
@@ -165,8 +165,9 @@ private static NameValueCollection ToOptimizedRawValues(this ValidatedAuthorizeR
{
// https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests
// requires client id and response type to always be in URL
// REVIEW - Does this apply to pushed requests?
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OIDC requires that when request objects are used, the client pass the client id and response type, in order to make the request a valid oauth request. With PAR, I don't think we need to worry about that, since PAR is an OAuth specification, and the requests we're making are valid PAR requests. In fact, an example in RFC 9126 pushes a request object containing a response_type claim without duplicating the response type outside the request object.

Since OIDC is asking for this duplication in other circumstances in order to be a valid oauth request, and the relevant oauth specification doesn't require it in this circumstance, I'm leaving it out.

@josephdecock
Remove a review note
d5e98ac 
OIDC requires that when request objects are used, the client pass the
client id and response type, in order to make the request a valid oauth
request. With PAR, we don't need to worry about that, since PAR is an
OAuth specification, and the requests we're making are valid PAR
requests. And in fact, an example in RFC 9126 pushes a request object
containing a response_type claim without duplicating the response type
outside the request object.

Since OIDC is asking for this duplication in other circumstances in
order to be a valid oauth request, and the relevant oauth specification
doesn't require it in this circumstance, I'm leaving it out.
@josephdecock josephdecock marked this pull request as ready for review October 20, 2023 20:28
@josephdecock
Copy link
Member Author

josephdecock commented Oct 20, 2023
edited

@brockallen, I've created new issues to track the follow up work on otel (#1445), and to consider cleaning up the ToOptimized... methods (possibly we can deprecate them along with the IAuthorizationParametersMessageStore? (#1444)).

Also, I'm convinced now that we don't need to duplicate the response_type parameter outside the request parameter when we use PAR with JAR. I don't think the special case in ToOptimizedRawValues applies here - see my comment.

@brockallen brockallen merged commit 7b8ec53 into main Oct 24, 2023
5 checks passed
@brockallen brockallen deleted the joe/par branch October 24, 2023 03:24
@brockallen brockallen added the enhancement New feature or request label Oct 24, 2023
@leastprivilege
Copy link
Member

grats! @josephdecock

@josephdecock josephdecock mentioned this pull request Oct 30, 2023
Closed
@josephdecock josephdecock mentioned this pull request Nov 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brockallen brockallen brockallen approved these changes

Assignees

@josephdecock josephdecock

Labels
enhancement New feature or request needs_docs release notes done
Projects
None yet
Milestone
7.0.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@josephdecock @brockallen @leastprivilege