Merge pull request #2248 from DuendeSoftware/jmdc/use-latest

Use latest IdentityModel and AccessTokenManagement packages in JwtBearer, BFF
2026-05-24 09:28:24 +00:00 · 2025-10-17 08:50:14 +02:00 · 2025-10-17 08:50:14 +02:00 · 84f16cfbd7
commit 84f16cfbd7
parent dd3932febd 825c042bcb
9 changed files with 22 additions and 20 deletions
--- a/Directory.Packages.props
+++ b/Directory.Packages.props
@ -42,18 +42,14 @@
    <PackageVersion Include="coverlet.collector" Version="6.0.2" />
    <!-- Added aspire transitive package to resolve package vulnerability -->
    <PackageVersion Include="KubernetesClient" Version="17.0.14" />
-    <PackageVersion Include="Duende.AccessTokenManagement" Version="3.2.0" Condition="'$(IsBffProject)' == 'true'" />
+    <PackageVersion Include="Duende.AccessTokenManagement" Version="3.3.0-preview.1" Condition="'$(IsBffProject)' == 'true'" />
    <PackageVersion Include="Duende.AccessTokenManagement" Version="4.1.0-preview.2" Condition="'$(IsBffProject)' != 'true'" />
-    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.2.0" Condition="'$(IsBffProject)' == 'true'" />
+    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.3.0-preview.1" Condition="'$(IsBffProject)' == 'true'" />
    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="4.1.0-preview.2" Condition="'$(IsBffProject)' != 'true'" />
-    <!-- <PackageVersion Include="Duende.AccessTokenManagement" Version="4.0.0" />
-    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="4.0.0" /> -->
    <PackageVersion Include="Duende.AspNetCore.Authentication.JwtBearer" Version="0.1.3" />
-    <PackageVersion Include="Duende.IdentityModel" Version="7.0.0" Condition="'$(IsBffProject)' == 'true'"  />
-    <PackageVersion Include="Duende.IdentityModel" Version="8.0.0-preview.1" Condition="'$(IsBffProject)' != 'true'"  />
-    <PackageVersion Include="Duende.IdentityModel.OidcClient" Version="6.0.1" Condition="'$(IsBffProject)' == 'true'"/>
-    <PackageVersion Include="Duende.IdentityModel.OidcClient" Version="7.0.0-preview.2" Condition="'$(IsBffProject)' != 'true'"/>
-    <PackageVersion Include="Duende.IdentityServer" Version="7.1.0" />
+    <PackageVersion Include="Duende.IdentityModel" Version="8.0.0-preview.1" />
+    <PackageVersion Include="Duende.IdentityModel.OidcClient" Version="7.0.0-preview.2" />
+    <PackageVersion Include="Duende.IdentityServer" Version="7.4.0-preview.2" />
    <PackageVersion Include="Duende.Private.Licensing" Version="1.0.0" />
    <PackageVersion Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.2.0" />
    <PackageVersion Include="Meziantou.Extensions.Logging.Xunit" Version="1.0.8" />
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj
@ -8,7 +8,7 @@

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-    <PackageReference Include="Duende.IdentityModel" VersionOverride="7.1.0" />
+    <PackageReference Include="Duende.IdentityModel" />
  </ItemGroup>

  <ItemGroup>
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs
@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.

+using System.Buffers.Text;
 using System.Text.Json;
 using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;
@ -44,5 +45,5 @@ internal static class DPoPExtensions
    /// <summary>
    /// Create the value of a thumbprint
    /// </summary>
-    public static string CreateThumbprint(this JsonWebKey jwk) => Base64Url.Encode(jwk.ComputeJwkThumbprint());
+    public static string CreateThumbprint(this JsonWebKey jwk) => Base64Url.EncodeToString(jwk.ComputeJwkThumbprint());
 }
--- a/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
+++ b/aspnetcore-authentication-jwtbearer/src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidator.cs
@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.

+using System.Buffers.Text;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
@ -263,7 +264,7 @@ internal class DPoPProofValidator : IDPoPProofValidator
        var bytes = Encoding.UTF8.GetBytes(context.AccessToken);
        var hash = SHA256.HashData(bytes);

-        var accessTokenHash = Base64Url.Encode(hash);
+        var accessTokenHash = Base64Url.EncodeToString(hash);
        if (accessTokenHash != result.AccessTokenHash)
        {
            result.SetError("Invalid 'ath' value.");
@ -278,7 +279,7 @@ internal class DPoPProofValidator : IDPoPProofValidator
                return;
            }
            var jtiBytes = Encoding.UTF8.GetBytes(jtiString);
-            result.TokenIdHash = Base64Url.Encode(SHA256.HashData(jtiBytes));
+            result.TokenIdHash = Base64Url.EncodeToString(SHA256.HashData(jtiBytes));
        }

        if (string.IsNullOrEmpty(result.TokenIdHash))
--- a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
+++ b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/AspNetCore.Authentication.JwtBearer.Tests.csproj
@ -10,8 +10,8 @@

  <ItemGroup>
    <PackageReference Include="AngleSharp" />
-    <PackageReference Include="Duende.AccessTokenManagement.OpenIdConnect" VersionOverride="4.0.0"/>
-    <PackageReference Include="Duende.IdentityModel" VersionOverride="7.1.0" />
+    <PackageReference Include="Duende.AccessTokenManagement.OpenIdConnect" />
+    <PackageReference Include="Duende.IdentityModel" />
    <PackageReference Include="Duende.IdentityServer" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" />
--- a/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs
+++ b/aspnetcore-authentication-jwtbearer/test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs
@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.

+using System.Buffers.Text;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text;
@ -19,7 +20,7 @@ public abstract class DPoPProofValidatorTestBase
    {
        ProofValidator = CreateProofValidator();
        var jtiBytes = Encoding.UTF8.GetBytes(TokenId);
-        TokenIdHash = Base64Url.Encode(SHA256.HashData(jtiBytes));
+        TokenIdHash = Base64Url.EncodeToString(SHA256.HashData(jtiBytes));
        Context = new()
        {
            Options = Options,
--- a/bff/hosts/Hosts.IdentityServer/Pages/Diagnostics/ViewModel.cs
+++ b/bff/hosts/Hosts.IdentityServer/Pages/Diagnostics/ViewModel.cs
@ -1,9 +1,10 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.

+
+using System.Buffers.Text;
 using System.Text;
 using System.Text.Json;
-using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;

 namespace IdentityServerHost.Pages.Diagnostics;
@ -17,7 +18,7 @@ public class ViewModel
        if (result.Properties.Items.ContainsKey("client_list"))
        {
            var encoded = result.Properties.Items["client_list"];
-            var bytes = Base64Url.Decode(encoded);
+            var bytes = Base64Url.DecodeFromChars(encoded);
            var value = Encoding.UTF8.GetString(bytes);

            Clients = JsonSerializer.Deserialize<string[]>(value);
--- a/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/DPoP/DPoPExtensions.cs
+++ b/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/DPoP/DPoPExtensions.cs
@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.

+using System.Buffers.Text;
 using System.Text.Json;
 using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;
@ -66,7 +67,7 @@ static class DPoPExtensions
    /// </summary>
    public static string CreateThumbprint(this JsonWebKey jwk)
    {
-        var jkt = Base64Url.Encode(jwk.ComputeJwkThumbprint());
+        var jkt = Base64Url.EncodeToString(jwk.ComputeJwkThumbprint());
        return jkt;
    }
 }
--- a/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/DPoP/DPoPProofValidator.cs
+++ b/bff/hosts/RemoteApis/Hosts.RemoteApi.DPoP/DPoP/DPoPProofValidator.cs
@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.

+using System.Buffers.Text;
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
@ -226,7 +227,7 @@ public class DPoPProofValidator
            var bytes = Encoding.UTF8.GetBytes(context.AccessToken);
            var hash = sha.ComputeHash(bytes);

-            var accessTokenHash = Base64Url.Encode(hash);
+            var accessTokenHash = Base64Url.EncodeToString(hash);
            if (accessTokenHash != result.AccessTokenHash)
            {
                result.IsError = true;