From 9692206e297dd430db65e4342a949a2511578bfd Mon Sep 17 00:00:00 2001 From: kailash-b Date: Mon, 14 Jul 2025 20:58:42 +0530 Subject: [PATCH 1/4] Upgrade versions and fix errors in existing test cases --- .../Auth0.AspNetCore.Authentication.csproj | 3 +- ...ore.Authentication.IntegrationTests.csproj | 17 +++--- .../Auth0MiddlewareTests.cs | 16 +++-- .../BackchannelLogoutTests.cs | 22 +++---- .../TokenValidationTests.cs | 61 ++++++++++++------- .../wellknownconfig.json | 2 +- .../wellknownconfig_without_par.json | 2 +- 7 files changed, 71 insertions(+), 52 deletions(-) diff --git a/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj b/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj index 603e4159..3e063351 100644 --- a/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj +++ b/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj @@ -9,7 +9,8 @@ - + + diff --git a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0.AspNetCore.Authentication.IntegrationTests.csproj b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0.AspNetCore.Authentication.IntegrationTests.csproj index c71bce84..8c776de6 100644 --- a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0.AspNetCore.Authentication.IntegrationTests.csproj +++ b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0.AspNetCore.Authentication.IntegrationTests.csproj @@ -1,7 +1,7 @@  - net6.0 + net8.0 @@ -24,18 +24,17 @@ - - - - - - - + + + + + + all runtime; build; native; contentfiles; analyzers; buildtransitive - + all runtime; build; native; contentfiles; analyzers; buildtransitive diff --git a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0MiddlewareTests.cs b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0MiddlewareTests.cs index 52e35930..073c744a 100644 --- a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0MiddlewareTests.cs +++ b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0MiddlewareTests.cs @@ -19,6 +19,7 @@ using System.Security.Cryptography; using System.Linq; using Auth0.AspNetCore.Authentication.Exceptions; +using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; namespace Auth0.AspNetCore.Authentication.IntegrationTests @@ -951,12 +952,13 @@ public async Task Should_Throw_When_Organization_Provided_But_Claim_Missing() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Organization claim (org_id) must be a string present in the ID token."); } } @@ -1007,12 +1009,13 @@ public async Task Should_Throw_When_Organization_Provided_But_Claim_Mismatch() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Organization claim (org_id) mismatch in the ID token; expected \"org_123\", found \"org_456\"."); } } @@ -1070,12 +1073,13 @@ public async Task Should_Allow_Custom_Token_Validation() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Triggered Custom Validation."); } } diff --git a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/BackchannelLogoutTests.cs b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/BackchannelLogoutTests.cs index 1c7b7891..f30df969 100644 --- a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/BackchannelLogoutTests.cs +++ b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/BackchannelLogoutTests.cs @@ -38,7 +38,7 @@ public async Task Should_Return_405_If_Not_Post() using var client = server.CreateClient(); var res = await client.SendAsync($"{TestServerBuilder.Host}/backchannel-logout"); - res.StatusCode.Should().Be(405); + res.StatusCode.Should().Be((HttpStatusCode)405); } [Fact] @@ -67,7 +67,7 @@ public async Task Should_return_400_when_not_form_urlencoded() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Be("Only application/x-www-form-urlencoded is allowed."); } @@ -99,7 +99,7 @@ public async Task Should_return_400_when_no_logout_token() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Be("Missing logout_token."); } @@ -139,7 +139,7 @@ public async Task Should_Validate_Signature_On_Backchannel_Logout() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Signature validation failed."); } @@ -177,7 +177,7 @@ public async Task Should_Validate_Issuer_On_Backchannel_Logout() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Issuer validation failed."); } @@ -216,7 +216,7 @@ public async Task Should_Validate_Audience_On_Backchannel_Logout() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Audience validation failed."); } @@ -254,7 +254,7 @@ public async Task Should_Validate_Sid_On_Backchannel_Logout() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Session Id (sid) claim must be a string present in the logout token."); } @@ -295,7 +295,7 @@ public async Task Should_Validate_Nonce_On_Backchannel_Logout() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Nonce (nonce) claim must not be present in the logout token."); } @@ -333,7 +333,7 @@ public async Task Should_Validate_Events_When_Missing_On_Backchannel_Logout() var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Events (events) claim must be present in the logout token."); } @@ -372,7 +372,7 @@ public async Task Should_Validate_Events_When_Missing_Property_Backchannel_Logou var content = await response.Content.ReadAsStringAsync(); var error = ApiError.Parse(content); - response.StatusCode.Should().Be(400); + response.StatusCode.Should().Be((HttpStatusCode)400); error.Message.Should().Contain("Events (events) claim must contain a 'http://schemas.openid.net/event/backchannel-logout' property in the logout token."); } @@ -408,7 +408,7 @@ public async Task Should_Pass_Validation_On_Backchannel_Logout() req.Content = new FormUrlEncodedContent(formData); using var response = await client.SendAsync(req); - response.StatusCode.Should().Be(200); + response.StatusCode.Should().Be((HttpStatusCode)200); } [Fact] diff --git a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/TokenValidationTests.cs b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/TokenValidationTests.cs index 706d01bd..6e6c6e4c 100644 --- a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/TokenValidationTests.cs +++ b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/TokenValidationTests.cs @@ -11,6 +11,7 @@ using Auth0.AspNetCore.Authentication.IntegrationTests.Extensions; using Auth0.AspNetCore.Authentication.IntegrationTests.Infrastructure; using Auth0.AspNetCore.Authentication.IntegrationTests.Utils; +using Microsoft.AspNetCore.Authentication; using Microsoft.IdentityModel.Tokens; namespace Auth0.AspNetCore.Authentication.IntegrationTests @@ -69,7 +70,8 @@ public async Task Should_Throw_When_Missing_Issuer() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException @@ -123,7 +125,8 @@ public async Task Should_Throw_When_Invalid_Issuer() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException @@ -177,12 +180,13 @@ public async Task Should_Throw_When_Missing_Subject() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Subject (sub) claim must be a string present in the ID token."); } } @@ -232,7 +236,8 @@ public async Task Should_Throw_When_Missing_Audience() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException @@ -286,7 +291,8 @@ public async Task Should_Throw_When_Invalid_Audience() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException @@ -340,7 +346,8 @@ public async Task Should_Throw_When_Expired() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException @@ -394,12 +401,13 @@ public async Task Should_Throw_When_Missing_Azp_And_Multiple_Audiences() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Authorized Party (azp) claim must be a string present in the ID token when Audiences (aud) claim has multiple values."); } } @@ -449,12 +457,13 @@ public async Task Should_Throw_When_Invalid_Azp_And_Multiple_Audiences() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Authorized Party (azp) claim mismatch in the ID token; expected \"123\", found \"789\"."); } } @@ -505,12 +514,13 @@ public async Task Should_Throw_When_Max_Age_Exists_And_Auth_Time_Does_Not() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Authentication Time (auth_time) claim must be an integer present in the ID token when MaxAge specified."); } } @@ -561,12 +571,13 @@ public async Task Should_Throw_When_Max_Age_Exists_And_Auth_Time_Is_Invalid() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().StartWith("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication."); } } @@ -644,12 +655,13 @@ public async Task Should_Throw_When_Missing_OrgId() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Organization claim (org_id) must be a string present in the ID token."); } } @@ -699,12 +711,13 @@ public async Task Should_Throw_When_OrgId_Mismatch() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be($"Organization claim (org_id) mismatch in the ID token; expected \"org_123\", found \"org_abc\"."); } } @@ -795,12 +808,13 @@ public async Task Should_Throw_When_Missing_OrgName() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be("Organization claim (org_name) must be a string present in the ID token."); } } @@ -850,12 +864,13 @@ public async Task Should_Throw_When_OrgName_Mismatch() var innerException = act .Should() - .Throw() + .ThrowAsync() + .Result .And.InnerException; innerException .Should() - .BeOfType() + .BeOfType() .Which.Message.Should().Be($"Organization claim (org_name) mismatch in the ID token; expected \"organizationa\", found \"organizationb\"."); } } diff --git a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig.json b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig.json index 85502474..5a07f904 100644 --- a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig.json +++ b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig.json @@ -60,5 +60,5 @@ "picture", "sub" ], - "request_uri_parameter_supported": "false" + "request_uri_parameter_supported": false } \ No newline at end of file diff --git a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig_without_par.json b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig_without_par.json index 70e44ecf..1e478b8c 100644 --- a/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig_without_par.json +++ b/tests/Auth0.AspNetCore.Authentication.IntegrationTests/wellknownconfig_without_par.json @@ -59,5 +59,5 @@ "picture", "sub" ], - "request_uri_parameter_supported": "false" + "request_uri_parameter_supported": false } \ No newline at end of file From e5e89ca9ec48afe4ef51d8e03fb01d87edc9e1cb Mon Sep 17 00:00:00 2001 From: kailash-b Date: Mon, 14 Jul 2025 19:40:45 +0530 Subject: [PATCH 2/4] Upgrade Microsoft.IdentityModel.Protocols.OpenIdConnect to 8.12.1 --- .../Auth0.AspNetCore.Authentication.csproj | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj b/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj index 3e063351..07def8e3 100644 --- a/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj +++ b/src/Auth0.AspNetCore.Authentication/Auth0.AspNetCore.Authentication.csproj @@ -6,9 +6,9 @@ - + From 2df71c276172b8552aa3170318b5e2cc3ea52475 Mon Sep 17 00:00:00 2001 From: kailash-b Date: Mon, 14 Jul 2025 20:59:45 +0530 Subject: [PATCH 3/4] Update PAR parsing logic to work with latest versions --- .../PushedAuthorizationRequestHandler.cs | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/src/Auth0.AspNetCore.Authentication/PushedAuthorizationRequest/PushedAuthorizationRequestHandler.cs b/src/Auth0.AspNetCore.Authentication/PushedAuthorizationRequest/PushedAuthorizationRequestHandler.cs index 69ab1adb..fe340554 100644 --- a/src/Auth0.AspNetCore.Authentication/PushedAuthorizationRequest/PushedAuthorizationRequestHandler.cs +++ b/src/Auth0.AspNetCore.Authentication/PushedAuthorizationRequest/PushedAuthorizationRequestHandler.cs @@ -24,11 +24,20 @@ public static async Task HandleAsync(RedirectContext context, OpenIdConnectOptio var oidcConfiguration = await oidcOptions.ConfigurationManager?.GetConfigurationAsync(default)!; - object? rawParEndpoint = string.Empty; - oidcConfiguration?.AdditionalData.TryGetValue("pushed_authorization_request_endpoint", out rawParEndpoint); - string? parEndpoint = rawParEndpoint as string; + // Trying to get the PAR endpoint from the property first, fallback to AdditionalData for older configs. + string? parEndpoint = null; + if (oidcConfiguration != null) + { + parEndpoint = oidcConfiguration?.PushedAuthorizationRequestEndpoint; + if (string.IsNullOrEmpty(parEndpoint)) + { + object? rawParEndpoint = string.Empty; + oidcConfiguration.AdditionalData?.TryGetValue("pushed_authorization_request_endpoint", out rawParEndpoint); + parEndpoint = rawParEndpoint as string; + } + } - // If PAR was enabled in the options, but no `pushed_authorization_request_endpoint` value is find + // If PAR was enabled in the options, but no `pushed_authorization_request_endpoint` value is found // in the OIDC configuration, we will throw an error. if (string.IsNullOrEmpty(parEndpoint)) { From 7342c9cc23718bb71e477f7851360b73313315a2 Mon Sep 17 00:00:00 2001 From: kailash-b Date: Mon, 14 Jul 2025 21:25:23 +0530 Subject: [PATCH 4/4] Fix dependabot.yml --- .github/dependabot.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 09ffe12d..4b7189a7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -31,15 +31,6 @@ updates: labels: - "dependencies" - "npm" - # Only security updates for npm since they're dev dependencies - # for build scripts and not critical for library functionality - allow: - - dependency-type: "direct" - update-type: "version-update:semver-patch" - - dependency-type: "direct" - update-type: "version-update:semver-minor" - - dependency-type: "indirect" - update-type: "security-update" - package-ecosystem: "github-actions" directory: "/"