OpenID Connect - Validate Discovery Endpoint response

src/HealthChecks.OpenIdConnectServer/DiscoveryEndpointResponse.cs

@@ -0,0 +1,63 @@
+using System.Text.Json.Serialization;
+
+namespace HealthChecks.IdSvr;
+
+internal class DiscoveryEndpointResponse
+{
+    [JsonPropertyName(OidcConstants.ISSUER)]
+    public string Issuer { get; set; } = null!;
+
+    [JsonPropertyName(OidcConstants.AUTHORIZATION_ENDPOINT)]
+    public string AuthorizationEndpoint { get; set; } = null!;
+
+    [JsonPropertyName(OidcConstants.JWKS_URI)]
+    public string JwksUri { get; set; } = null!;
+
+    [JsonPropertyName(OidcConstants.RESPONSE_TYPES_SUPPORTED)]
+    public string[] ResponseTypesSupported { get; set; } = null!;
+
+    [JsonPropertyName(OidcConstants.SUBJECT_TYPES_SUPPORTED)]
+    public string[] SubjectTypesSupported { get; set; } = null!;
+
+    [JsonPropertyName(OidcConstants.ALGORITHMS_SUPPORTED)]
+    public string[] IdTokenSigningAlgValuesSupported { get; set; } = null!;
+
+    /// <summary>
+    /// Validates Discovery response according to the <see href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID specification</see>
+    /// </summary>
+    public void ValidateResponse()
+    {
+        ValidateValue(Issuer, OidcConstants.ISSUER);
+        ValidateValue(AuthorizationEndpoint, OidcConstants.AUTHORIZATION_ENDPOINT);
+        ValidateValue(JwksUri, OidcConstants.JWKS_URI);
+
+        ValidateRequiredValues(ResponseTypesSupported, OidcConstants.RESPONSE_TYPES_SUPPORTED, OidcConstants.REQUIRED_RESPONSE_TYPES);
+        ValidateRequiredValues(SubjectTypesSupported, OidcConstants.SUBJECT_TYPES_SUPPORTED, OidcConstants.REQUIRED_SUBJECT_TYPES);
+        ValidateRequiredValues(IdTokenSigningAlgValuesSupported, OidcConstants.ALGORITHMS_SUPPORTED, OidcConstants.REQUIRED_ALGORITHMS);
+    }
+
+    private static void ValidateValue(string value, string metadata)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            throw new ArgumentException(GetMissingValueExceptionMessage(metadata));
+        }
+    }
+
+    private static void ValidateRequiredValues(IEnumerable<string> values, string metadata, string[] requiredValues)
+    {
+        if (values == null || !AnyValueContains(values, requiredValues))
+        {
+            throw new ArgumentException(GetMissingRequiredValuesExceptionMessage(metadata, requiredValues));
+        }
+    }
+
+    private static bool AnyValueContains(string[] values, string[] requiredValues) =>
+        values.Any(v => requiredValues.Contains(v));
+
+    private static string GetMissingValueExceptionMessage(string value) =>
+        $"Invalid discovery response - '{value}' must be set!";
+
+    private static string GetMissingRequiredValuesExceptionMessage(string value, string[] requiredValues) =>
+        $"Invalid discovery response - '{value}' must be one of the following values: {string.Join(",", requiredValues)}!";
+}

src/HealthChecks.OpenIdConnectServer/HealthChecks.OpenIdConnectServer.csproj

@@ -11,6 +11,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Http" Version="7.0.0" />
     <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="7.0.9" />
+    <PackageReference Include=" System.Net.Http.Json" Version="7.0.1" />
   </ItemGroup>
 
 </Project>

src/HealthChecks.OpenIdConnectServer/IdSvrHealthCheck.cs

@@ -1,3 +1,4 @@
+using System.Net.Http.Json;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 
@@ -27,9 +28,20 @@ public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context
             var httpClient = _httpClientFactory();
             using var response = await httpClient.GetAsync(_discoverConfigurationSegment, HttpCompletionOption.ResponseHeadersRead, cancellationToken).ConfigureAwait(false);
 
-            return response.IsSuccessStatusCode
-                ? HealthCheckResult.Healthy()
-                : new HealthCheckResult(context.Registration.FailureStatus, description: $"Discover endpoint is not responding with 200 OK, the current status is {response.StatusCode} and the content {await response.Content.ReadAsStringAsync().ConfigureAwait(false)}");
+            if (!response.IsSuccessStatusCode)
+            {
+                return new HealthCheckResult(context.Registration.FailureStatus, description: $"Discover endpoint is not responding with 200 OK, the current status is {response.StatusCode} and the content {await response.Content.ReadAsStringAsync().ConfigureAwait(false)}");
+            }
+
+            var discoveryResponse = await response
+                   .Content
+                   .ReadFromJsonAsync<DiscoveryEndpointResponse>()
+                   .ConfigureAwait(false)
+               ?? throw new ArgumentException("Could not deserialize to discovery endpoint response!");
+
+            discoveryResponse.ValidateResponse();
+
+            return HealthCheckResult.Healthy();
         }
         catch (Exception ex)
         {

src/HealthChecks.OpenIdConnectServer/OidcConstants.cs

@@ -0,0 +1,22 @@
+namespace HealthChecks.IdSvr;
+
+internal class OidcConstants
+{
+    internal const string ISSUER = "issuer";
+
+    internal const string AUTHORIZATION_ENDPOINT = "authorization_endpoint";
+
+    internal const string JWKS_URI = "jwks_uri";
+
+    internal const string RESPONSE_TYPES_SUPPORTED = "response_types_supported";
+
+    internal const string SUBJECT_TYPES_SUPPORTED = "subject_types_supported";
+
+    internal const string ALGORITHMS_SUPPORTED = "id_token_signing_alg_values_supported";
+
+    internal static string[] REQUIRED_RESPONSE_TYPES => new[] { "code", "id_token", "token id_token" };
+
+    internal static string[] REQUIRED_SUBJECT_TYPES => new[] { "pairwise", "public" };
+
+    internal static string[] REQUIRED_ALGORITHMS => new[] { "RS256" };
+}