Simplify some of the client authentication policy checks

2 weeks ago · a89b5c66aa
6 changed files with 31 additions and 21 deletions
--- a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
+++ b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
@ -53,9 +53,13 @@ public class InteractiveService : BackgroundService
                    // While this sample deliberately doesn't store the generated certificate in a persistent
                    // location, the certificate used for token binding should typically be stored in the user
                    // certificate store to be reloaded across application restarts in a real-world application.
-                    var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                        ? GenerateEphemeralTlsClientCertificate()
-                        : null;
+                    var certificate = registration.ClientType switch
+                    {
+                        ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                            => GenerateEphemeralTlsClientCertificate(),
+
+                        _ => null
+                    };

                    var flow = await GetSelectedFlowAsync(registration, configuration, stoppingToken);

@ -166,9 +170,13 @@ public class InteractiveService : BackgroundService
                    var type = await GetSelectedGrantTypeAsync(registration, configuration, stoppingToken);
                    if (type is GrantTypes.DeviceCode)
                    {
-                        var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                            ? GenerateEphemeralTlsClientCertificate()
-                            : null;
+                        var certificate = registration.ClientType switch
+                        {
+                            ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                                => GenerateEphemeralTlsClientCertificate(),
+
+                            _ => null
+                        };

                        // Ask OpenIddict to send a device authorization request and write
                        // the complete verification endpoint URI to the console output.
@ -256,9 +264,13 @@ public class InteractiveService : BackgroundService
                    {
                        var (username, password) = (await GetUsernameAsync(stoppingToken), await GetPasswordAsync(stoppingToken));

-                        var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                            ? GenerateEphemeralTlsClientCertificate()
-                            : null;
+                        var certificate = registration.ClientType switch
+                        {
+                            ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                                => GenerateEphemeralTlsClientCertificate(),
+
+                            _ => null
+                        };

                        AnsiConsole.MarkupLine("[cyan]Sending the token request.[/]");

@ -339,9 +351,13 @@ public class InteractiveService : BackgroundService
                            await GetSubjectTokenAsync(stoppingToken),
                            await GetActorTokenAsync(stoppingToken));

-                        var certificate = configuration.TlsClientCertificateBoundAccessTokens is true
-                            ? GenerateEphemeralTlsClientCertificate()
-                            : null;
+                        var certificate = registration.ClientType switch
+                        {
+                            ClientTypes.Public when configuration.TlsClientCertificateBoundAccessTokens is true
+                                => GenerateEphemeralTlsClientCertificate(),
+
+                            _ => null
+                        };

                        AnsiConsole.MarkupLine("[cyan]Sending the token request.[/]");

--- a/sandbox/OpenIddict.Sandbox.WinForms.Client/Program.cs
+++ b/sandbox/OpenIddict.Sandbox.WinForms.Client/Program.cs
@ -98,10 +98,6 @@ var host = new HostBuilder()
                                  .SetRedirectUri("com.openiddict.sandbox.winforms.client://callback/login/github");
                       });
            });
-
-        //
-        // Note: in a real world application, this step should be part of a setup script.
-        // services.Insert(0, ServiceDescriptor.Singleton<IHostedService, Worker>());
    })
    .ConfigureWinForms<MainForm>()
    .UseWinFormsLifetime()
--- a/src/OpenIddict.Abstractions/OpenIddictResources.resx
+++ b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@ -1849,7 +1849,7 @@ To use a custom policy relying on the system store, set 'OpenIddictServerOptions
    <value>mTLS endpoint aliases cannot be set when the corresponding endpoints have not been enabled.</value>
  </data>
  <data name="ID0511" xml:space="preserve">
-    <value>Public Key Infrastructure certificates cannot contain private keys.</value>
+    <value>Certificates attached to client authentication policies cannot contain private keys.</value>
  </data>
  <data name="ID0512" xml:space="preserve">
    <value>A certificate-based client authentication or token binding method was negotiated but no suitable certificate could be found.</value>
--- a/src/OpenIddict.Server/OpenIddictServerBuilder.cs
+++ b/src/OpenIddict.Server/OpenIddictServerBuilder.cs
@ -2420,7 +2420,6 @@ public sealed class OpenIddictServerBuilder
    /// </summary>
    /// <param name="configuration">The delegate used to amend the created X.509 chain policy.</param>
    /// <returns>The <see cref="OpenIddictServerBuilder"/> instance.</returns>
-    [EditorBrowsable(EditorBrowsableState.Advanced)]
    public OpenIddictServerBuilder EnableSelfSignedTlsClientAuthentication(Action<X509ChainPolicy> configuration)
    {
        ArgumentNullException.ThrowIfNull(configuration);
--- a/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
+++ b/src/OpenIddict.Server/OpenIddictServerConfiguration.cs
@ -348,13 +348,13 @@ public sealed class OpenIddictServerConfiguration : IPostConfigureOptions<OpenId
        // Ensure the self-signed TLS client authentication chain policy doesn't contain any certificate.
        if (options.SelfSignedTlsClientAuthenticationPolicy is not null)
        {
-            if (options.SelfSignedTlsClientAuthenticationPolicy.ExtraStore.Cast<X509Certificate2>().Any())
+            if (options.SelfSignedTlsClientAuthenticationPolicy.ExtraStore.Count is not 0)
            {
                throw new InvalidOperationException(SR.GetResourceString(SR.ID0502));
            }

 #if SUPPORTS_X509_CHAIN_POLICY_CUSTOM_TRUST_STORE && SUPPORTS_X509_CHAIN_POLICY_TRUST_MODE
-            if (options.SelfSignedTlsClientAuthenticationPolicy.CustomTrustStore.Cast<X509Certificate2>().Any())
+            if (options.SelfSignedTlsClientAuthenticationPolicy.CustomTrustStore.Count is not 0)
            {
                throw new InvalidOperationException(SR.GetResourceString(SR.ID0502));
            }
--- a/src/OpenIddict.Server/OpenIddictServerOptions.cs
+++ b/src/OpenIddict.Server/OpenIddictServerOptions.cs
@ -716,6 +716,5 @@ public sealed class OpenIddictServerOptions
    /// the system certificates store, doing so is strongly discouraged.
    /// </para>
    /// </remarks>
-    [EditorBrowsable(EditorBrowsableState.Advanced)]
    public X509ChainPolicy? SelfSignedTlsClientAuthenticationPolicy { get; set; }
 }