From 2721b7c72380695de96fcae6ef4100fac6fdb4eb Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Thu, 16 Oct 2025 15:56:09 -0500
Subject: [PATCH] Update to latest previews of AccessTokenManagement

Also temporarily overriding some versions in JwtBearer to work around circular dependencies (we will return to this after releasing IdentityServer)
---
 Directory.Packages.props                               | 10 +++++-----
 .../AspNetCore.Authentication.JwtBearer.csproj         |  2 +-
 .../DPoP/DPoPExtensions.cs                             |  3 +--
 .../DPoP/DPoPProofValidator.cs                         |  5 ++---
 .../AspNetCore.Authentication.JwtBearer.Tests.csproj   |  5 ++---
 .../DPoP/DPoPProofValidatorTestBase.cs                 |  3 +--
 6 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/Directory.Packages.props b/Directory.Packages.props
index 0f7bfa57a..dcd2e318d 100644
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@@ -42,15 +42,15 @@
     <PackageVersion Include="coverlet.collector" Version="6.0.2" />
     <!-- Added aspire transitive package to resolve package vulnerability -->
     <PackageVersion Include="KubernetesClient" Version="17.0.14" />
-    <PackageVersion Include="Duende.AccessTokenManagement" Version="3.2.0" Condition="'$(IsBffProject)' == 'true'" />
-    <PackageVersion Include="Duende.AccessTokenManagement" Version="4.0.0" Condition="'$(IsBffProject)' != 'true'" />
-    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.2.0" Condition="'$(IsBffProject)' == 'true'" />
-    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="4.0.0" Condition="'$(IsBffProject)' != 'true'" />
+    <PackageVersion Include="Duende.AccessTokenManagement" Version="3.3.0-preview.1" Condition="'$(IsBffProject)' == 'true'" />
+    <PackageVersion Include="Duende.AccessTokenManagement" Version="4.1.0-preview.2" Condition="'$(IsBffProject)' != 'true'" />
+    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.3.0-preview.1" Condition="'$(IsBffProject)' == 'true'" />
+    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="4.1.0-preview.2" Condition="'$(IsBffProject)' != 'true'" />
     <!-- <PackageVersion Include="Duende.AccessTokenManagement" Version="4.0.0" />
     <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="4.0.0" /> -->
     <PackageVersion Include="Duende.AspNetCore.Authentication.JwtBearer" Version="0.1.3" />
     <PackageVersion Include="Duende.IdentityModel" Version="8.0.0-preview.1" />
-    <PackageVersion Include="Duende.IdentityModel.OidcClient" Version="6.0.1" />
+    <PackageVersion Include="Duende.IdentityModel.OidcClient" Version="7.0.0-preview.2" />
     <PackageVersion Include="Duende.IdentityServer" Version="7.1.0" />
     <PackageVersion Include="Duende.Private.Licensing" Version="1.0.0" />
     <PackageVersion Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.2.0" />
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
index d0d87a42a..5cf525060 100644
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
@@ -8,7 +8,7 @@
 
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-    <PackageReference Include="Duende.IdentityModel" />
+    <PackageReference Include="Duende.IdentityModel" VersionOverride="7.1.0" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs
index 097fe4a78..d28c3862b 100644
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs
@@ -1,7 +1,6 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using System.Buffers.Text;
 using System.Text.Json;
 using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;
@@ -45,5 +44,5 @@ internal static class DPoPExtensions
     /// <summary>
     /// Create the value of a thumbprint
     /// </summary>
-    public static string CreateThumbprint(this JsonWebKey jwk) => Base64Url.EncodeToString(jwk.ComputeJwkThumbprint());
+    public static string CreateThumbprint(this JsonWebKey jwk) => Base64Url.Encode(jwk.ComputeJwkThumbprint());
 }
diff --git a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
index d80d7a1e4..bad212e01 100644
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
@@ -1,7 +1,6 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using System.Buffers.Text;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
@@ -264,7 +263,7 @@ internal class DPoPProofValidator : IDPoPProofValidator
         var bytes = Encoding.UTF8.GetBytes(context.AccessToken);
         var hash = SHA256.HashData(bytes);
 
-        var accessTokenHash = Base64Url.EncodeToString(hash);
+        var accessTokenHash = Base64Url.Encode(hash);
         if (accessTokenHash != result.AccessTokenHash)
         {
             result.SetError("Invalid 'ath' value.");
@@ -279,7 +278,7 @@ internal class DPoPProofValidator : IDPoPProofValidator
                 return;
             }
             var jtiBytes = Encoding.UTF8.GetBytes(jtiString);
-            result.TokenIdHash = Base64Url.EncodeToString(SHA256.HashData(jtiBytes));
+            result.TokenIdHash = Base64Url.Encode(SHA256.HashData(jtiBytes));
         }
 
         if (string.IsNullOrEmpty(result.TokenIdHash))
diff --git a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
index e9693adfa..0b1f5d96b 100644
--- a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
+++ b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
@@ -10,12 +10,11 @@
 
   <ItemGroup>
     <PackageReference Include="AngleSharp" />
-    <PackageReference Include="Duende.AccessTokenManagement.OpenIdConnect" />
-    <PackageReference Include="Duende.IdentityModel" />
+    <PackageReference Include="Duende.AccessTokenManagement.OpenIdConnect" VersionOverride="4.0.0"/>
+    <PackageReference Include="Duende.IdentityModel" VersionOverride="7.1.0" />
     <PackageReference Include="Duende.IdentityServer" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" />
     <PackageReference Include="Meziantou.Extensions.Logging.Xunit" />
     <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" />
     <PackageReference Include="NSubstitute" />
diff --git a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs
index 1947ac9c9..baceb26e4 100644
--- a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs
+++ b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs
@@ -1,7 +1,6 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using System.Buffers.Text;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
@@ -20,7 +19,7 @@ public abstract class DPoPProofValidatorTestBase
     {
         ProofValidator = CreateProofValidator();
         var jtiBytes = Encoding.UTF8.GetBytes(TokenId);
-        TokenIdHash = Base64Url.EncodeToString(SHA256.HashData(jtiBytes));
+        TokenIdHash = Base64Url.Encode(SHA256.HashData(jtiBytes));
         Context = new()
         {
             Options = Options,