From 9849e863705ee2fbe1ac9b29e91cc38f5ecc3178 Mon Sep 17 00:00:00 2001 From: Joe DeCock Date: Fri, 25 Oct 2024 09:37:34 -0500 Subject: [PATCH] Updates for Duende.AspNetCore.Authentication.JwtBearer --- .../docs/content/apis/aspnetcore/confirmation.md | 15 ++++++++++----- IdentityServer/v7/docs/content/samples/misc.md | 2 +- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/IdentityServer/v7/docs/content/apis/aspnetcore/confirmation.md b/IdentityServer/v7/docs/content/apis/aspnetcore/confirmation.md index d632582f..afbec48f 100644 --- a/IdentityServer/v7/docs/content/apis/aspnetcore/confirmation.md +++ b/IdentityServer/v7/docs/content/apis/aspnetcore/confirmation.md @@ -107,8 +107,7 @@ If you are using [DPoP]({{< ref "/tokens/pop/dpop" >}}) for proof-of-possession, In addition to the normal validation mechanics of the access token itself, DPoP requires additional validation of the DPoP proof token sent in the "DPoP" HTTP request header. DPoP proof token processing involves requiring the DPoP scheme on the authorization header where the access token is sent, JWT validation of the proof token, "cnf" claim validation, HTTP method and URL validation, replay detection (which requires some storage for the replay information), nonce generation and validation, additional clock skew logic, and emitting the correct response headers in the case of the various validation errors. -Given that there are no off-the-shelf libraries that implement this, we have developed a full-featured sample implementation. -With this sample the configuration necessary in your startup can be as simple as this: +You can use the *Duende.AspNetCore.Authentication.JwtBearer* NuGet package to implement this validation. With this package, the configuration necessary in your startup can be as simple as this: ```cs // adds the normal JWT bearer validation @@ -126,6 +125,12 @@ builder.Services.AddAuthentication("token") builder.Services.ConfigureDPoPTokensForScheme("token"); ``` -You can find this sample [here]({{< ref "/samples/misc#DPoP" >}}). To use the -*ConfigureDPoPTokensForScheme* shown above, copy the *~/Api/DPoP code from the -sample into you APIs. \ No newline at end of file +You will also typically need a distributed cache, used to perform replay detection of DPoP +proofs. Duende.AspNetCore.Authentication.JwtBearer relies on `IDistributedCache` for this, +so you can supply the cache implementation of your choice. See the +[Microsoft documentation](https://learn.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-8.0) +for more details on on setting up distributed caches, along with many examples, including Redis, CosmosDB, and +Sql Server. + +A full sample using the default in memory caching is available +[here](https://github.com/DuendeSoftware/Samples/tree/main/IdentityServer/v7/DPoP). diff --git a/IdentityServer/v7/docs/content/samples/misc.md b/IdentityServer/v7/docs/content/samples/misc.md index 810529fd..f53e4ef5 100644 --- a/IdentityServer/v7/docs/content/samples/misc.md +++ b/IdentityServer/v7/docs/content/samples/misc.md @@ -18,7 +18,7 @@ This approach requires DNS entries for *mtls.localhost* and *api.localhost* to r ### DPoP This sample shows how to access APIs using DPoP for [proof of possession]({{}}). It contains two different clients; one that uses client credentials and DPoP tokens, and another that is an interactive ASP.NET Core app using code flow to obtain the DPoP bound tokens. Both clients demonstrate the use of the *Duende.AccessTokenManagement* library with DPoP. -The sample also contains an API with the necessary helper code to accept and validate DPoP bound access tokens. +The sample also contains an API using the *Duende.AspNetCore.Authentication.JwtBearer* library to accept and validate DPoP bound access tokens. [link to source code]({{< param samples_base >}}/DPoP)