openiddict · kevinchalet · May 12, 2024 · May 10, 2024 · May 10, 2024 · May 10, 2024
diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs b/sandbox/OpenIddict.Sandbox.AspNet.Server/Controllers/AuthorizationController.cs
@@ -14,10 +14,12 @@
 using System.Web.Mvc;
 using Microsoft.AspNet.Identity;
 using Microsoft.AspNet.Identity.Owin;
+using Microsoft.Extensions.Options;
 using Microsoft.Owin.Security;
 using OpenIddict.Abstractions;
 using OpenIddict.Client;
 using OpenIddict.Client.Owin;
+using OpenIddict.Core;
 using OpenIddict.Sandbox.AspNet.Server.Helpers;
 using OpenIddict.Sandbox.AspNet.Server.ViewModels.Authorization;
 using OpenIddict.Server.Owin;
@@ -32,17 +34,20 @@
         private readonly IOpenIddictAuthorizationManager _authorizationManager;
         private readonly OpenIddictClientService _clientService;
         private readonly IOpenIddictScopeManager _scopeManager;
+        private readonly IOptionsSnapshot<OpenIddictCoreOptions> _openIddictCoreOptions;
 
         public AuthorizationController(
             IOpenIddictApplicationManager applicationManager,
             IOpenIddictAuthorizationManager authorizationManager,
             OpenIddictClientService clientService,
-            IOpenIddictScopeManager scopeManager)
+            IOpenIddictScopeManager scopeManager,
+            IOptionsSnapshot<OpenIddictCoreOptions> openIddictCoreOptions)
         {
             _applicationManager = applicationManager;
             _authorizationManager = authorizationManager;
             _clientService = clientService;
             _scopeManager = scopeManager;
+            _openIddictCoreOptions = openIddictCoreOptions;
         }
 
         [HttpGet, Route("~/connect/authorize")]
@@ -57,7 +62,7 @@
             // If the user principal can't be extracted or the cookie is too old, redirect the user to the login page.
             var result = await context.Authentication.AuthenticateAsync(DefaultAuthenticationTypes.ApplicationCookie);
             if (result?.Identity == null || (request.MaxAge != null && result.Properties?.IssuedUtc != null &&
-                DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)))
+                _openIddictCoreOptions.Value.GetUtcNow() - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)))
             {
                 // For applications that want to allow the client to select the external authentication provider
                 // that will be used to authenticate the user, the identity_provider parameter can be used for that.

diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Controllers/AuthorizationController.cs
@@ -11,11 +11,13 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Options;
 using Microsoft.Extensions.Primitives;
 using Microsoft.IdentityModel.Tokens;
 using OpenIddict.Abstractions;
 using OpenIddict.Client;
 using OpenIddict.Client.AspNetCore;
+using OpenIddict.Core;
 using OpenIddict.Sandbox.AspNetCore.Server.Helpers;
 using OpenIddict.Sandbox.AspNetCore.Server.Models;
 using OpenIddict.Sandbox.AspNetCore.Server.ViewModels.Authorization;
@@ -32,21 +34,24 @@ public class AuthorizationController : Controller
     private readonly IOpenIddictScopeManager _scopeManager;
     private readonly SignInManager<ApplicationUser> _signInManager;
     private readonly UserManager<ApplicationUser> _userManager;
+    private readonly IOptionsSnapshot<OpenIddictCoreOptions> _openIddictCoreOptions;
 
     public AuthorizationController(
         IOpenIddictApplicationManager applicationManager,
         IOpenIddictAuthorizationManager authorizationManager,
         OpenIddictClientService clientService,
         IOpenIddictScopeManager scopeManager,
         SignInManager<ApplicationUser> signInManager,
-        UserManager<ApplicationUser> userManager)
+        UserManager<ApplicationUser> userManager,
+        IOptionsSnapshot<OpenIddictCoreOptions> openIddictCoreOptions)
     {
         _applicationManager = applicationManager;
         _authorizationManager = authorizationManager;
         _clientService = clientService;
         _scopeManager = scopeManager;
         _signInManager = signInManager;
         _userManager = userManager;
+        _openIddictCoreOptions = openIddictCoreOptions;
     }
 
     #region Authorization code, implicit and hybrid flows
@@ -73,7 +78,13 @@ public async Task<IActionResult> Authorize()
         var result = await HttpContext.AuthenticateAsync();
         if (result == null || !result.Succeeded || request.HasPrompt(Prompts.Login) ||
            (request.MaxAge != null && result.Properties?.IssuedUtc != null &&
-            DateTimeOffset.UtcNow - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)))
+            (
+#if SUPPORTS_TIME_PROVIDER
+                _openIddictCoreOptions.Value.TimeProvider?.GetUtcNow() ??
+#endif
+                DateTimeOffset.UtcNow
+            )
+            - result.Properties.IssuedUtc > TimeSpan.FromSeconds(request.MaxAge.Value)))
         {
             // If the client application requested promptless authentication,
             // return an error indicating that the user is not logged in.

diff --git a/src/OpenIddict.Client/OpenIddictClientBuilder.cs b/src/OpenIddict.Client/OpenIddictClientBuilder.cs
@@ -193,13 +193,24 @@ public OpenIddictClientBuilder AddDevelopmentEncryptionCertificate()
     /// </summary>
     /// <param name="subject">The subject name associated with the certificate.</param>
     /// <returns>The <see cref="OpenIddictClientBuilder"/> instance.</returns>
-    public OpenIddictClientBuilder AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
+    public OpenIddictClientBuilder AddDevelopmentEncryptionCertificate(X500DistinguishedName subject) =>
+        AddDevelopmentEncryptionCertificate(subject, DateTimeOffset.UtcNow);
+
+    /// <summary>
+    /// Registers (and generates if necessary) a user-specific development encryption certificate.
+    /// </summary>
+    /// <param name="subject">The subject name associated with the certificate.</param>
+    /// <param name="notBefore">The NotBefore of the certificate.</param>
+    /// <returns>The <see cref="OpenIddictClientBuilder"/> instance.</returns>
+    public OpenIddictClientBuilder AddDevelopmentEncryptionCertificate(X500DistinguishedName subject, DateTimeOffset notBefore)
     {
         if (subject is null)
         {
             throw new ArgumentNullException(nameof(subject));
         }
 
+        var notBeforeDateTime = notBefore.DateTime;
+
         using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
         store.Open(OpenFlags.ReadWrite);
 
@@ -209,15 +220,15 @@ public OpenIddictClientBuilder AddDevelopmentEncryptionCertificate(X500Distingui
             .OfType<X509Certificate2>()
             .ToList();
 
-        if (!certificates.Exists(static certificate => certificate.NotBefore < DateTime.Now && certificate.NotAfter > DateTime.Now))
+        if (!certificates.Exists(certificate => certificate.NotBefore < notBeforeDateTime && certificate.NotAfter > notBeforeDateTime))
         {
 #if SUPPORTS_CERTIFICATE_GENERATION
             using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
 
             var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
             request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.KeyEncipherment, critical: true));
 
-            var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));
+            var certificate = request.CreateSelfSigned(notBeforeDateTime, notBeforeDateTime.AddYears(2));
 
             // Note: setting the friendly name is not supported on Unix machines (including Linux and macOS).
             // To ensure an exception is not thrown by the property setter, an OS runtime check is used here.
@@ -556,13 +567,24 @@ public OpenIddictClientBuilder AddDevelopmentSigningCertificate()
     /// </summary>
     /// <param name="subject">The subject name associated with the certificate.</param>
     /// <returns>The <see cref="OpenIddictClientBuilder"/> instance.</returns>
-    public OpenIddictClientBuilder AddDevelopmentSigningCertificate(X500DistinguishedName subject)
+    public OpenIddictClientBuilder AddDevelopmentSigningCertificate(X500DistinguishedName subject) =>
+        AddDevelopmentSigningCertificate(subject, DateTimeOffset.UtcNow);
+
+    /// <summary>
+    /// Registers (and generates if necessary) a user-specific development signing certificate.
+    /// </summary>
+    /// <param name="subject">The subject name associated with the certificate.</param>
+    /// <param name="notBefore">The NotBefore of the certificate.</param>
+    /// <returns>The <see cref="OpenIddictClientBuilder"/> instance.</returns>
+    public OpenIddictClientBuilder AddDevelopmentSigningCertificate(X500DistinguishedName subject, DateTimeOffset notBefore)
     {
         if (subject is null)
         {
             throw new ArgumentNullException(nameof(subject));
         }
 
+        var notBeforeDateTime = notBefore.DateTime;
+
         using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
         store.Open(OpenFlags.ReadWrite);
 
@@ -572,15 +594,15 @@ public OpenIddictClientBuilder AddDevelopmentSigningCertificate(X500Distinguishe
             .OfType<X509Certificate2>()
             .ToList();
 
-        if (!certificates.Exists(static certificate => certificate.NotBefore < DateTime.Now && certificate.NotAfter > DateTime.Now))
+        if (!certificates.Exists(certificate => certificate.NotBefore < notBeforeDateTime && certificate.NotAfter > notBeforeDateTime))
         {
 #if SUPPORTS_CERTIFICATE_GENERATION
             using var algorithm = OpenIddictHelpers.CreateRsaKey(size: 2048);
 
             var request = new CertificateRequest(subject, algorithm, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
             request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature, critical: true));
 
-            var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(2));
+            var certificate = request.CreateSelfSigned(notBeforeDateTime, notBeforeDateTime.AddYears(2));
 
             // Note: setting the friendly name is not supported on Unix machines (including Linux and macOS).
             // To ensure an exception is not thrown by the property setter, an OS runtime check is used here.

diff --git a/src/OpenIddict.Client/OpenIddictClientConfiguration.cs b/src/OpenIddict.Client/OpenIddictClientConfiguration.cs
@@ -44,6 +44,13 @@ public void PostConfigure(string? name, OpenIddictClientOptions options)
             throw new InvalidOperationException(SR.GetResourceString(SR.ID0075));
         }
 
+#if SUPPORTS_TIME_PROVIDER
+        if (options.TimeProvider is null)
+        {
+            options.TimeProvider = TimeProvider.System;
+        }
+#endif
+
         foreach (var registration in options.Registrations)
         {
             if (registration.Issuer is null)
@@ -212,9 +219,17 @@ public void PostConfigure(string? name, OpenIddictClientOptions options)
         // Sort the handlers collection using the order associated with each handler.
         options.Handlers.Sort((left, right) => left.Order.CompareTo(right.Order));
 
+        var now = (
+#if SUPPORTS_TIME_PROVIDER
+                options.TimeProvider?.GetUtcNow() ??
+#endif
+                DateTimeOffset.UtcNow
+            )
+            .DateTime;
+
         // Sort the encryption and signing credentials.
-        options.EncryptionCredentials.Sort((left, right) => Compare(left.Key, right.Key));
-        options.SigningCredentials.Sort((left, right) => Compare(left.Key, right.Key));
+        options.EncryptionCredentials.Sort((left, right) => Compare(left.Key, right.Key, now));
+        options.SigningCredentials.Sort((left, right) => Compare(left.Key, right.Key, now));
 
         // Generate a key identifier for the encryption/signing keys that don't already have one.
         foreach (var key in options.EncryptionCredentials.Select(credentials => credentials.Key)
@@ -234,7 +249,7 @@ public void PostConfigure(string? name, OpenIddictClientOptions options)
             from credentials in options.EncryptionCredentials
             select credentials.Key;
 
-        static int Compare(SecurityKey left, SecurityKey right) => (left, right) switch
+        static int Compare(SecurityKey left, SecurityKey right, DateTime now) => (left, right) switch
         {
             // If the two keys refer to the same instances, return 0.
             (SecurityKey first, SecurityKey second) when ReferenceEquals(first, second) => 0,
@@ -245,8 +260,8 @@ public void PostConfigure(string? name, OpenIddictClientOptions options)
             (SecurityKey, SymmetricSecurityKey) => 1,
 
             // If one of the keys is backed by a X.509 certificate, don't prefer it if it's not valid yet.
-            (X509SecurityKey first, SecurityKey)  when first.Certificate.NotBefore  > DateTime.Now => 1,
-            (SecurityKey, X509SecurityKey second) when second.Certificate.NotBefore > DateTime.Now => -1,
+            (X509SecurityKey first, SecurityKey)  when first.Certificate.NotBefore  > now => 1,
+            (SecurityKey, X509SecurityKey second) when second.Certificate.NotBefore > now => -1,
 
             // If the two keys are backed by a X.509 certificate, prefer the one with the furthest expiration date.
             (X509SecurityKey first, X509SecurityKey second) => -first.Certificate.NotAfter.CompareTo(second.Certificate.NotAfter),

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.Introspection.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.Introspection.cs
@@ -295,7 +295,11 @@ public ValueTask HandleAsync(HandleIntrospectionResponseContext context)
                 if (long.TryParse((string?) context.Response[Claims.ExpiresAt],
                     NumberStyles.Integer, CultureInfo.InvariantCulture, out var value) &&
                     DateTimeOffset.FromUnixTimeSeconds(value) is DateTimeOffset date &&
-                    date.Add(context.Registration.TokenValidationParameters.ClockSkew) < DateTimeOffset.UtcNow)
+                    date.Add(context.Registration.TokenValidationParameters.ClockSkew) < (
+#if SUPPORTS_TIME_PROVIDER
+                        context.Options.TimeProvider?.GetUtcNow() ??
+#endif
+                        DateTimeOffset.UtcNow))
                 {
                     context.Reject(
                         error: Errors.ServerError,

diff --git a/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs b/src/OpenIddict.Client/OpenIddictClientHandlers.Protection.cs
@@ -653,7 +653,11 @@ public ValueTask HandleAsync(ValidateTokenContext context)
                 Debug.Assert(context.Principal is { Identity: ClaimsIdentity }, SR.GetResourceString(SR.ID4006));
 
                 var date = context.Principal.GetExpirationDate();
-                if (date.HasValue && date.Value.Add(context.TokenValidationParameters.ClockSkew) < DateTimeOffset.UtcNow)
+                if (date.HasValue && date.Value.Add(context.TokenValidationParameters.ClockSkew) < (
+#if SUPPORTS_TIME_PROVIDER
+                        context.Options.TimeProvider?.GetUtcNow() ??
+#endif
+                        DateTimeOffset.UtcNow))
                 {
                     context.Reject(
                         error: Errors.InvalidToken,