Merge pull request #230 from petrsnd/feature/227-and-228-connect-async

Connect Async

Author: petrsnd

DEVICE-CODE-PLAN.md

@@ -164,6 +164,19 @@ var connection = DefaultBrowserLogin.Connect("safeguard.sample.corp");
 Console.WriteLine(connection.InvokeMethod(Service.Core, Method.Get, "Me"));
 ```
 
+#### Async with CancellationToken
+
+```C#
+using OneIdentity.SafeguardDotNet;
+using OneIdentity.SafeguardDotNet.BrowserLogin;
+
+// Ctrl+C cancels the login flow without terminating the process
+using var cts = Safeguard.AgentBasedLoginUtils.CreateConsoleCancellationToken();
+var connection = await DefaultBrowserLogin.ConnectAsync(
+    "safeguard.sample.corp", ignoreSsl: true, cancellationToken: cts.Token);
+Console.WriteLine(connection.InvokeMethod(Service.Core, Method.Get, "Me"));
+```
+
 ### Device Code Login (Recommended for Headless/Remote Devices)
 
 When there is no browser on the local machine (SSH sessions, containers, IoT
@@ -221,6 +234,17 @@ var connection = PkceNoninteractiveLogin.Connect(
 Console.WriteLine(connection.InvokeMethod(Service.Core, Method.Get, "Me"));
 ```
 
+#### Async with CancellationToken
+
+```C#
+using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(60));
+SecureString password = GetPasswordSomehow();
+var connection = await PkceNoninteractiveLogin.ConnectAsync(
+    "safeguard.sample.corp", "local", "Admin", password,
+    ignoreSsl: true, cancellationToken: cts.Token);
+Console.WriteLine(connection.InvokeMethod(Service.Core, Method.Get, "Me"));
+```
+
 ### Username / Password (Resource Owner Grant — Legacy)
 
 The following method relies on the Resource Owner grant, which is disabled by
@@ -280,6 +304,42 @@ A four minute video demonstrating how to get started calling the Safeguard API f
 
 [![Visual Studio Code video](https://img.youtube.com/vi/gV7iHUun9kA/0.jpg)](https://www.youtube.com/watch?v=gV7iHUun9kA)
 
+## Migrating to Async Login (ConnectAsync)
+
+`DefaultBrowserLogin`, `PkceNoninteractiveLogin`, and `DeviceCodeLogin` now
+offer `ConnectAsync` methods with `CancellationToken` support.
+
+**What changed in `Connect()` (sync):**
+
+- `DefaultBrowserLogin.Connect()` no longer registers a `Console.CancelKeyPress`
+  handler. The previous handler did not suppress process termination
+  (`e.Cancel` was not set to `true`), so Ctrl+C already terminated the process.
+  This change removes a non-functional side effect — behavior is unchanged for
+  callers.
+
+**New capability — `ConnectAsync`:**
+
+```C#
+// Option 1: Ctrl+C cancellation that suppresses process termination
+using var cts = Safeguard.AgentBasedLoginUtils.CreateConsoleCancellationToken();
+var connection = await DefaultBrowserLogin.ConnectAsync(
+    "safeguard.example.com", ignoreSsl: true, cancellationToken: cts.Token);
+
+// Option 2: Custom timeout
+using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(60));
+var connection = await PkceNoninteractiveLogin.ConnectAsync(
+    "safeguard.example.com", "local", "Admin", password,
+    ignoreSsl: true, cancellationToken: cts.Token);
+```
+
+**Bug fix — `ignoreSsl` now honored everywhere:**
+
+Previously, internal HTTP calls during token exchange always bypassed SSL
+validation regardless of the `ignoreSsl` parameter. This is now fixed — if you
+pass `ignoreSsl: false`, certificate validation is enforced for all calls.
+Environments using self-signed certificates should pass `ignoreSsl: true`
+explicitly.
+
 ## About the Safeguard API
 
 The Safeguard API is a REST-based Web API. Safeguard API endpoints are called

README.md

@@ -2,11 +2,13 @@
 
 namespace OneIdentity.SafeguardDotNet.BrowserLogin;
 
+using System;
 using System.Net;
 using System.Net.Sockets;
 using System.Text;
 using System.Text.RegularExpressions;
 using System.Threading;
+using System.Threading.Tasks;
 using System.Web;
 
 public class AuthorizationCodeExtractor
@@ -17,6 +19,80 @@ public AuthorizationCodeExtractor()
 
     public string AuthorizationCode { get; set; }
 
+    /// <summary>
+    /// Listens for an OAuth authorization code callback on the specified port (async).
+    /// Returns the authorization code extracted from the browser redirect.
+    /// </summary>
+    /// <remarks>
+    /// WARNING: This method blocks indefinitely until the browser callback is received.
+    /// If no <paramref name="cancellationToken"/> is provided, the call will never return
+    /// if the user does not complete authentication. Always provide a cancellation token
+    /// with a timeout or use <see cref="Safeguard.AgentBasedLoginUtils.CreateConsoleCancellationToken"/>
+    /// to enable Ctrl+C cancellation.
+    /// </remarks>
+    /// <param name="port">Local TCP port to listen on for the OAuth callback.</param>
+    /// <param name="cancellationToken">Cancellation token to abort the listener.</param>
+    /// <returns>The OAuth authorization code from the browser redirect.</returns>
+    /// <exception cref="OperationCanceledException">Thrown when cancellation is requested.</exception>
+    /// <exception cref="SafeguardDotNetException">Thrown when the redirect is malformed or missing.</exception>
+    public static async Task<string> ListenAsync(int port, CancellationToken cancellationToken)
+    {
+        var tcpListener = new TcpListener(IPAddress.Loopback, port);
+        tcpListener.Start();
+
+        try
+        {
+            TcpClient tcpClient;
+            using (cancellationToken.Register(tcpListener.Stop))
+            {
+                try
+                {
+                    tcpClient = await tcpListener.AcceptTcpClientAsync().ConfigureAwait(false);
+                }
+                catch (Exception ex) when ((ex is ObjectDisposedException || ex is SocketException)
+                    && cancellationToken.IsCancellationRequested)
+                {
+                    throw new OperationCanceledException(cancellationToken);
+                }
+            }
+
+            using (tcpClient)
+            {
+                using var networkStream = tcpClient.GetStream();
+                var readBuffer = new byte[1024];
+                var sb = new StringBuilder();
+                do
+                {
+                    var numberOfBytesRead = await networkStream.ReadAsync(readBuffer, 0, readBuffer.Length, cancellationToken)
+                        .ConfigureAwait(false);
+                    var s = Encoding.ASCII.GetString(readBuffer, 0, numberOfBytesRead);
+                    sb.Append(s);
+                }
+                while (networkStream.DataAvailable);
+
+                var fullResponse =
+                    "HTTP/1.1 200 OK\r\n\r\n<html><head><title>Authentication Complete</title></head><body><h2>Authentication complete.</h2>" +
+                    "<p>You can return to your application.</p><p>Feel free to close this browser tab.</p></body></html>\r\n";
+                var response = Encoding.ASCII.GetBytes(fullResponse);
+                await networkStream.WriteAsync(response, 0, response.Length, cancellationToken).ConfigureAwait(false);
+                await networkStream.FlushAsync(cancellationToken).ConfigureAwait(false);
+
+                var httpRequest = sb.ToString();
+                var authCode = HttpUtility.ParseQueryString(ExtractUriFromHttpRequest(httpRequest)).Get("oauth");
+                if (string.IsNullOrEmpty(authCode))
+                {
+                    throw new SafeguardDotNetException("OAuth callback did not contain an authorization code.");
+                }
+
+                return authCode;
+            }
+        }
+        finally
+        {
+            tcpListener.Stop();
+        }
+    }
+
     public void Listen(int port, CancellationToken cancellationToken)
     {
         var tcpListener = new TcpListener(IPAddress.Loopback, port);

SafeguardDotNet.BrowserLogin/AuthorizationCodeExtractor.cs

@@ -4,6 +4,7 @@ namespace OneIdentity.SafeguardDotNet.BrowserLogin;
 
 using System;
 using System.Threading;
+using System.Threading.Tasks;
 
 using Serilog;
 
@@ -17,49 +18,83 @@ public static class DefaultBrowserLogin
     /// Connect to Safeguard by launching the default browser for OAuth2/PKCE authentication.
     /// Opens a local TCP listener to receive the authorization code callback from the browser.
     /// </summary>
+    /// <remarks>
+    /// WARNING: This method blocks indefinitely until the browser callback is received.
+    /// If the user does not complete authentication, this call will never return.
+    /// For programmatic cancellation, use <see cref="ConnectAsync"/> with a
+    /// <see cref="CancellationToken"/> or
+    /// <see cref="Safeguard.AgentBasedLoginUtils.CreateConsoleCancellationToken"/>.
+    /// </remarks>
     /// <param name="appliance">Network address of Safeguard appliance</param>
     /// <param name="username">Optional username to pre-fill the login form</param>
     /// <param name="port">Local TCP port to listen for OAuth callback (default: 8400)</param>
     /// <param name="apiVersion">Target API version to use (default: 4)</param>
     /// <param name="ignoreSsl">Ignore validation of Safeguard appliance SSL certificate (default: false)</param>
     /// <returns>Reusable Safeguard API connection</returns>
     public static ISafeguardConnection Connect(
-        string appliance, string username = "", int port = 8400, int apiVersion = Safeguard.DefaultApiVersion, bool ignoreSsl = false)
+        string appliance,
+        string username = "",
+        int port = 8400,
+        int apiVersion = Safeguard.DefaultApiVersion,
+        bool ignoreSsl = false)
+    {
+        return ConnectAsync(appliance, username, port, apiVersion, ignoreSsl, CancellationToken.None)
+            .GetAwaiter().GetResult();
+    }
+
+    /// <summary>
+    /// Connect to Safeguard by launching the default browser for OAuth2/PKCE authentication (async).
+    /// Opens a local TCP listener to receive the authorization code callback from the browser.
+    /// Returns when the user completes authentication or the cancellation token is triggered.
+    /// </summary>
+    /// <remarks>
+    /// WARNING: This method blocks indefinitely until the browser callback is received.
+    /// If no <paramref name="cancellationToken"/> is provided, the call will never return
+    /// if the user does not complete authentication. Always provide a cancellation token
+    /// with a timeout or use <see cref="Safeguard.AgentBasedLoginUtils.CreateConsoleCancellationToken"/>
+    /// to enable Ctrl+C cancellation.
+    /// </remarks>
+    /// <param name="appliance">Network address of Safeguard appliance</param>
+    /// <param name="username">Optional username to pre-fill the login form</param>
+    /// <param name="port">Local TCP port to listen for OAuth callback (default: 8400)</param>
+    /// <param name="apiVersion">Target API version to use (default: 4)</param>
+    /// <param name="ignoreSsl">Ignore validation of Safeguard appliance SSL certificate (default: false)</param>
+    /// <param name="cancellationToken">Cancellation token to abort the flow.</param>
+    /// <returns>Reusable Safeguard API connection</returns>
+    /// <exception cref="SafeguardDotNetException">Thrown when authentication fails or API error.</exception>
+    /// <exception cref="OperationCanceledException">Thrown when cancellation is requested.</exception>
+    public static async Task<ISafeguardConnection> ConnectAsync(
+        string appliance,
+        string username = "",
+        int port = 8400,
+        int apiVersion = Safeguard.DefaultApiVersion,
+        bool ignoreSsl = false,
+        CancellationToken cancellationToken = default)
     {
         Log.Debug("Calling RSTS for primary authentication");
 
         var oauthCodeVerifier = Safeguard.AgentBasedLoginUtils.OAuthCodeVerifier();
-        var tokenExtractor = new AuthorizationCodeExtractor();
         var browserLauncher = new BrowserLauncher(appliance, oauthCodeVerifier);
 
-        using var source = new CancellationTokenSource();
-        Console.CancelKeyPress += (sender, e) => { source.Cancel(); };
-
         browserLauncher.Show(username, port);
-        tokenExtractor.Listen(port, source.Token);
 
-        if (string.IsNullOrEmpty(tokenExtractor.AuthorizationCode))
-        {
-            throw new SafeguardDotNetException("Unable to obtain authorization code");
-        }
+        var authorizationCode = await AuthorizationCodeExtractor.ListenAsync(port, cancellationToken).ConfigureAwait(false);
 
         Log.Debug("Redeeming RSTS authorization code");
 
-        using var rstsAccessToken = Safeguard.AgentBasedLoginUtils.PostAuthorizationCodeFlow(
-            appliance, tokenExtractor.AuthorizationCode, oauthCodeVerifier, Safeguard.AgentBasedLoginUtils.RedirectUri);
+        using var rstsAccessToken = await Safeguard.AgentBasedLoginUtils.PostAuthorizationCodeFlowAsync(
+            appliance,
+            authorizationCode,
+            oauthCodeVerifier,
+            Safeguard.AgentBasedLoginUtils.RedirectUriTcpListener,
+            ignoreSsl,
+            cancellationToken)
+            .ConfigureAwait(false);
 
         Log.Debug("Exchanging RSTS access token");
 
-        var responseObject = Safeguard.AgentBasedLoginUtils.PostLoginResponse(appliance, rstsAccessToken, apiVersion);
-
-        var statusValue = responseObject.GetValue("Status")?.ToString();
-
-        if (string.IsNullOrEmpty(statusValue) || statusValue != "Success")
-        {
-            throw new SafeguardDotNetException($"Error response status {statusValue} from RSTS");
-        }
-
-        using var accessToken = responseObject.GetValue("UserToken")?.ToString().ToSecureString();
-        return Safeguard.Connect(appliance, accessToken, apiVersion, ignoreSsl);
+        return await Safeguard.AgentBasedLoginUtils.ExchangeRstsTokenForConnectionAsync(
+            appliance, rstsAccessToken, apiVersion, ignoreSsl, cancellationToken)
+            .ConfigureAwait(false);
     }
 }

SafeguardDotNet.BrowserLogin/DefaultBrowserLogin.cs

@@ -75,7 +75,7 @@ public static async Task<ISafeguardConnection> ConnectAsync(
         var clientId = parameters.ClientId ?? "SafeguardDotNet";
         var scope = parameters.Scope ?? "rsts:sts:primaryproviderid:local";
 
-        using var http = CreateHttpClient(ignoreSsl);
+        using var http = Safeguard.AgentBasedLoginUtils.CreateStatelessHttpClient(ignoreSsl);
 
         // Step 1: Request device code (CRITICAL: no trailing slash on URL)
         Log.Debug("Requesting device authorization from {Appliance}", appliance);
@@ -188,35 +188,9 @@ public static async Task<ISafeguardConnection> ConnectAsync(
 
         using (rstsAccessToken)
         {
-            var responseObject = Safeguard.AgentBasedLoginUtils.PostLoginResponse(
-                appliance, rstsAccessToken, apiVersion);
-
-            var statusValue = responseObject.GetValue("Status")?.ToString();
-            if (string.IsNullOrEmpty(statusValue) || statusValue != "Success")
-            {
-                throw new SafeguardDotNetException($"Error exchanging RSTS token, status: {statusValue}");
-            }
-
-            // Step 5: Create connection
-            using var accessToken = responseObject.GetValue("UserToken")?.ToString().ToSecureString();
-            return Safeguard.Connect(appliance, accessToken, apiVersion, ignoreSsl);
-        }
-    }
-
-    private static HttpClient CreateHttpClient(bool ignoreSsl)
-    {
-        var handler = new HttpClientHandler()
-        {
-            SslProtocols = System.Security.Authentication.SslProtocols.Tls12,
-        };
-
-        if (ignoreSsl)
-        {
-#pragma warning disable S4830 // Intentional SSL bypass when user explicitly opts in
-            handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
-#pragma warning restore S4830
+            return await Safeguard.AgentBasedLoginUtils.ExchangeRstsTokenForConnectionAsync(
+                appliance, rstsAccessToken, apiVersion, ignoreSsl, cancellationToken)
+                .ConfigureAwait(false);
         }
-
-        return new HttpClient(handler);
     }
 }

SafeguardDotNet.DeviceCodeLogin/DeviceCodeLogin.cs

@@ -2,6 +2,8 @@
 
 namespace OneIdentity.SafeguardDotNet.GuiLogin
 {
+    using System.Threading;
+
     using Serilog;
 
     /// <summary>
@@ -33,24 +35,18 @@ public static ISafeguardConnection Connect(string appliance, int apiVersion = Sa
 
                 Log.Debug("Redeeming RSTS authorization code");
 
-                using (var rstsAccessToken = Safeguard.AgentBasedLoginUtils.PostAuthorizationCodeFlow(
-                    appliance, rstsWindow.AuthorizationCode, rstsWindow.CodeVerifier, Safeguard.AgentBasedLoginUtils.RedirectUri))
+                using (var rstsAccessToken = Safeguard.AgentBasedLoginUtils.PostAuthorizationCodeFlowAsync(
+                    appliance,
+                    rstsWindow.AuthorizationCode,
+                    rstsWindow.CodeVerifier,
+                    Safeguard.AgentBasedLoginUtils.RedirectUri,
+                    ignoreSsl,
+                    CancellationToken.None).GetAwaiter().GetResult())
                 {
                     Log.Debug("Exchanging RSTS access token");
 
-                    var responseObject = Safeguard.AgentBasedLoginUtils.PostLoginResponse(appliance, rstsAccessToken);
-
-                    var statusValue = responseObject.GetValue("Status")?.ToString();
-
-                    if (string.IsNullOrEmpty(statusValue) || statusValue != "Success")
-                    {
-                        throw new SafeguardDotNetException($"Error response status {statusValue} from login response service");
-                    }
-
-                    using (var accessToken = responseObject.GetValue("UserToken")?.ToString().ToSecureString())
-                    {
-                        return Safeguard.Connect(appliance, accessToken, apiVersion, ignoreSsl);
-                    }
+                    return Safeguard.AgentBasedLoginUtils.ExchangeRstsTokenForConnection(
+                        appliance, rstsAccessToken, apiVersion, ignoreSsl);
                 }
             }
             else