Merge pull request #232 from petrsnd/feature/225-stj-conversion-for-aot

Migrate from Newtonsoft.Json to System.Text.Json

Author: petrsnd

.agents/skills/testing-guide/SKILL.md

@@ -286,3 +286,28 @@ correctly.
 5. **Test both modes when applicable.** The PKCE test suite supports two modes:
    - **Standard mode** (no `TotpSeed`): Runs login success + error tests
    - **MFA mode** (`TotpSeed` provided): Runs only the TOTP success test
+
+## Suite interactivity classification
+
+All suites are designed to run **non-interactively** (no human input during execution).
+Suites that test browser or device-code flows use timeouts and error paths to validate
+the flow starts correctly without requiring a human to complete authentication.
+
+| Suite | Requires | Notes |
+|---|---|---|
+| SpsIntegration | SPS appliance (`-SpsAppliance`, `-SpsPassword`) | Only suite needing separate infrastructure |
+| BrowserAuthentication | Nothing extra | Tests error paths + verifies listener starts (timeout expected) |
+| DeviceCodeAuthentication | Nothing extra | Tests grant toggle + verifies device code issued (timeout expected) |
+| A2A* suites | Nothing extra | Creates own certs, users, registrations via setup |
+| CertificateAuth | Nothing extra | Uses embedded test certificates |
+| Streaming | Nothing extra | Tests streaming download paths |
+| All others | Nothing extra | Standard password/PKCE auth against appliance |
+
+**When running a full regression**, exclude only `SpsIntegration` (unless an SPS appliance
+is available):
+
+```powershell
+pwsh -File Test\TestFramework\Invoke-SafeguardTests.ps1 `
+    -Appliance <address> -AdminPassword <password> -SkipBuild `
+    -ExcludeSuite SpsIntegration
+```

Directory.Build.props

@@ -2,6 +2,7 @@
   <PropertyGroup>
     <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="StyleCop.Analyzers" Version="1.2.0-beta.556" PrivateAssets="all" />

SafeguardDotNet.Core.sln

@@ -54,6 +54,8 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "pipeline-templates", "pipel
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SafeguardDotNetUnitTest", "Test\SafeguardDotNetUnitTest\SafeguardDotNetUnitTest.csproj", "{1B11B367-2F76-49EE-A820-2A0A8B1721B1}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SafeguardDotNet.SerializationTests", "Test\SafeguardDotNet.SerializationTests\SafeguardDotNet.SerializationTests.csproj", "{F5591287-9C28-4778-951A-31F6A6766B63}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -112,6 +114,10 @@ Global
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F5591287-9C28-4778-951A-31F6A6766B63}.Release|Any CPU.Build.0 = Release|Any CPU
 		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{6802F7A9-CD3D-4608-9EEC-C98636DA2708}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -137,6 +143,7 @@ Global
 		{20D9ED51-6852-44FC-A413-5EC7631139F9} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 		{1EB6D64D-7AFB-41DC-B11B-58934D053684} = {9249E337-656D-4970-B45C-7A077C56FA44}
 		{1B11B367-2F76-49EE-A820-2A0A8B1721B1} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
+		{F5591287-9C28-4778-951A-31F6A6766B63} = {DD89D86B-68DA-4EB0-8EBC-60DE3DC2B084}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {5A3B2C1D-4E6F-7A8B-9C0D-1E2F3A4B5C6D}

SafeguardDotNet.DeviceCodeLogin/DeviceCodeLogin.cs

@@ -6,12 +6,10 @@ namespace OneIdentity.SafeguardDotNet.DeviceCodeLogin;
 using System.Net.Http;
 using System.Security;
 using System.Text;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 
-using Newtonsoft.Json;
-using Newtonsoft.Json.Linq;
-
 using Serilog;
 
 /// <summary>
@@ -81,7 +79,7 @@ public static async Task<ISafeguardConnection> ConnectAsync(
         Log.Debug("Requesting device authorization from {Appliance}", appliance);
 
         var deviceAuthUrl = $"https://{appliance}/RSTS/oauth2/DeviceLogin";
-        var requestBody = JsonConvert.SerializeObject(new { client_id = clientId, scope });
+        var requestBody = JsonSerializer.Serialize(new { client_id = clientId, scope });
         var content = new StringContent(requestBody, Encoding.UTF8, "application/json");
 
         HttpResponseMessage response;
@@ -105,12 +103,13 @@ public static async Task<ISafeguardConnection> ConnectAsync(
                 responseBody);
         }
 
-        var deviceResponse = JObject.Parse(responseBody);
-        var deviceCode = deviceResponse["device_code"]?.ToString();
-        var userCode = deviceResponse["user_code"]?.ToString();
-        var verificationUri = deviceResponse["verification_uri"]?.ToString();
-        var verificationUriComplete = deviceResponse["verification_uri_complete"]?.ToString();
-        var expiresIn = deviceResponse["expires_in"]?.Value<int>() ?? 300;
+        using var deviceResponse = JsonDocument.Parse(responseBody);
+        var deviceRoot = deviceResponse.RootElement;
+        var deviceCode = deviceRoot.TryGetProperty("device_code", out var dcEl) ? dcEl.GetString() : null;
+        var userCode = deviceRoot.TryGetProperty("user_code", out var ucEl) ? ucEl.GetString() : null;
+        var verificationUri = deviceRoot.TryGetProperty("verification_uri", out var vuEl) ? vuEl.GetString() : null;
+        var verificationUriComplete = deviceRoot.TryGetProperty("verification_uri_complete", out var vucEl) ? vucEl.GetString() : null;
+        var expiresIn = deviceRoot.TryGetProperty("expires_in", out var eiEl) && eiEl.TryGetInt32(out var eiVal) ? eiVal : 300;
 
         // Step 2: Display to user via callback
         parameters.DisplayCallback(new DeviceCodeInfo
@@ -135,7 +134,7 @@ public static async Task<ISafeguardConnection> ConnectAsync(
 
             await Task.Delay(TimeSpan.FromSeconds(intervalSeconds), cancellationToken).ConfigureAwait(false);
 
-            var pollBody = JsonConvert.SerializeObject(new
+            var pollBody = JsonSerializer.Serialize(new
             {
                 grant_type = "urn:ietf:params:oauth:grant-type:device_code",
                 device_code = deviceCode,
@@ -144,15 +143,18 @@ public static async Task<ISafeguardConnection> ConnectAsync(
             var pollContent = new StringContent(pollBody, Encoding.UTF8, "application/json");
             var pollResponse = await http.PostAsync(tokenUrl, pollContent, cancellationToken).ConfigureAwait(false);
             var pollResponseBody = await pollResponse.Content.ReadAsStringAsync().ConfigureAwait(false);
-            var pollJson = JObject.Parse(pollResponseBody);
+            using var pollJson = JsonDocument.Parse(pollResponseBody);
+
+            var pollRoot = pollJson.RootElement;
 
             if (pollResponse.IsSuccessStatusCode)
             {
-                rstsAccessToken = pollJson["access_token"]?.ToString().ToSecureString();
+                var accessTokenValue = pollRoot.TryGetProperty("access_token", out var atEl) ? atEl.GetString() : null;
+                rstsAccessToken = accessTokenValue?.ToSecureString();
                 break;
             }
 
-            var error = pollJson["error"]?.ToString();
+            var error = pollRoot.TryGetProperty("error", out var errEl) ? errEl.GetString() : null;
             switch (error)
             {
                 case "authorization_pending":

SafeguardDotNet.DeviceCodeLogin/README.md

@@ -91,7 +91,7 @@ using var connection = await DeviceCodeLogin.ConnectAsync(
 
 - SafeguardDotNet (core SDK)
 - Serilog (logging)
-- Newtonsoft.Json
+- System.Text.Json (via SafeguardDotNet)
 
 ## Testing
 

SafeguardDotNet.DeviceCodeLogin/SafeguardDotNet.DeviceCodeLogin.csproj

@@ -38,7 +38,6 @@
 
   <ItemGroup>
     <PackageReference Include="Serilog" Version="4.3.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
   </ItemGroup>
 
   <ItemGroup>

SafeguardDotNet.GuiLogin/README.md

@@ -75,7 +75,6 @@ The dialog handles all OAuth flow details automatically.
 This package uses `.nuspec` packaging to support .NET Framework 4.8.1 dependencies and framework assemblies:
 - System.Windows.Forms
 - System.Web
-- Newtonsoft.Json
 - Serilog
 
 ## Related Packages

SafeguardDotNet.GuiLogin/SafeguardDotNet.GuiLogin.csproj

@@ -59,9 +59,6 @@
     <PackageReference Include="Microsoft.Web.WebView2">
       <Version>1.0.3179.45</Version>
     </PackageReference>
-    <PackageReference Include="Newtonsoft.Json">
-      <Version>13.0.4</Version>
-    </PackageReference>
     <PackageReference Include="Serilog">
       <Version>4.3.0</Version>
     </PackageReference>

SafeguardDotNet.GuiLogin/SafeguardDotNet.GuiLogin.nuspec

@@ -17,7 +17,6 @@
     <tags>safeguard credentials vault sdk</tags>
     <dependencies>
       <group targetFramework=".NETFramework4.8.1">
-        <dependency id="Newtonsoft.Json" version="(13.0.3, )" />
         <dependency id="Serilog" version="(3.0.1, )" />
       </group>
     </dependencies>

SafeguardDotNet.PkceNoninteractiveLogin/PkceNoninteractiveLogin.cs

@@ -10,12 +10,11 @@ namespace OneIdentity.SafeguardDotNet.PkceNoninteractiveLogin;
 using System.Net.Http;
 using System.Security;
 using System.Text;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Web;
 
-using Newtonsoft.Json.Linq;
-
 using Serilog;
 
 /// <summary>
@@ -217,30 +216,34 @@ private static async Task HandleSecondaryAuthenticationAsync(
         SecureString secondaryPassword,
         CancellationToken cancellationToken)
     {
-        JObject primaryResponse;
+        JsonDocument primaryResponse;
         try
         {
-            primaryResponse = JObject.Parse(primaryAuthBody);
+            primaryResponse = JsonDocument.Parse(primaryAuthBody);
         }
         catch
         {
             return; // Non-JSON response means no secondary auth info
         }
 
-        var secondaryProviderId = primaryResponse["SecondaryProviderID"]?.ToString();
-
-        if (string.IsNullOrEmpty(secondaryProviderId))
+        using (primaryResponse)
         {
-            return; // No MFA required
-        }
+            var root = primaryResponse.RootElement;
+            var secondaryProviderId = root.TryGetProperty("SecondaryProviderID", out var spId) ? spId.GetString() : null;
 
-        Log.Debug("Secondary authentication required, provider: {SecondaryProviderId}", secondaryProviderId);
+            if (string.IsNullOrEmpty(secondaryProviderId))
+            {
+                return; // No MFA required
+            }
 
-        if (secondaryPassword == null)
-        {
-            throw new SafeguardDotNetException(
-                $"Multi-factor authentication is required (provider: {secondaryProviderId}) " +
-                "but no secondary password was provided. Use the secondaryPassword parameter to supply the one-time code.");
+            Log.Debug("Secondary authentication required, provider: {SecondaryProviderId}", secondaryProviderId);
+
+            if (secondaryPassword == null)
+            {
+                throw new SafeguardDotNetException(
+                    $"Multi-factor authentication is required (provider: {secondaryProviderId}) " +
+                    "but no secondary password was provided. Use the secondaryPassword parameter to supply the one-time code.");
+            }
         }
 
         cancellationToken.ThrowIfCancellationRequested();
@@ -255,9 +258,10 @@ private static async Task HandleSecondaryAuthenticationAsync(
         {
             try
             {
-                var initResponse = JObject.Parse(initBody);
-                mfaState = initResponse["State"]?.ToString() ?? string.Empty;
-                var mfaMessage = initResponse["Message"]?.ToString();
+                using var initResponse = JsonDocument.Parse(initBody);
+                var initRoot = initResponse.RootElement;
+                mfaState = initRoot.TryGetProperty("State", out var stateEl) ? stateEl.GetString() ?? string.Empty : string.Empty;
+                var mfaMessage = initRoot.TryGetProperty("Message", out var msgEl) ? msgEl.GetString() : null;
                 if (!string.IsNullOrEmpty(mfaMessage))
                 {
                     Log.Debug("MFA prompt: {Message}", mfaMessage);
@@ -286,8 +290,8 @@ private static async Task HandleSecondaryAuthenticationAsync(
             var errorMessage = "Secondary authentication failed.";
             try
             {
-                var mfaResponse = JObject.Parse(mfaBody);
-                errorMessage = mfaResponse["Message"]?.ToString() ?? errorMessage;
+                using var mfaResponse = JsonDocument.Parse(mfaBody);
+                errorMessage = mfaResponse.RootElement.TryGetProperty("Message", out var mEl) ? mEl.GetString() ?? errorMessage : errorMessage;
             }
             catch
             {
@@ -315,8 +319,8 @@ private static string ExtractAuthorizationCode(string response)
         string authorizationCode;
         try
         {
-            var jsonObject = JObject.Parse(response);
-            var relyingPartyUrl = jsonObject["RelyingPartyUrl"]?.ToString();
+            using var jsonDoc = JsonDocument.Parse(response);
+            var relyingPartyUrl = jsonDoc.RootElement.TryGetProperty("RelyingPartyUrl", out var rpEl) ? rpEl.GetString() : null;
 
             if (string.IsNullOrEmpty(relyingPartyUrl))
             {
@@ -364,11 +368,16 @@ private static async Task<string> ResolveIdentityProviderAsync(
             cancellationToken)
             .ConfigureAwait(false);
 
-        var jProviders = JArray.Parse(response);
         var knownScopes = new List<(string RstsProviderId, string Name, string RstsProviderScope)>();
-        if (jProviders != null)
+        using (var jProviders = JsonDocument.Parse(response))
         {
-            knownScopes = jProviders.Select(s => (Id: s["RstsProviderId"].ToString(), Name: s["Name"].ToString(), Scope: s["RstsProviderScope"].ToString())).ToList();
+            foreach (var item in jProviders.RootElement.EnumerateArray())
+            {
+                var id = item.TryGetProperty("RstsProviderId", out var idEl) ? idEl.GetString() : null;
+                var name = item.TryGetProperty("Name", out var nameEl) ? nameEl.GetString() : null;
+                var providerScope = item.TryGetProperty("RstsProviderScope", out var scopeEl) ? scopeEl.GetString() : null;
+                knownScopes.Add((id, name, providerScope));
+            }
         }
 
         // try to match what the user typed for provider to an rSTS ID