Dynamically determine the best client authentication method using introspection_endpoint_auth_methods_supported

Author: kevinchalet

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConfiguration.cs

@@ -5,6 +5,7 @@
  */
 
 using System;
+using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
 using JetBrains.Annotations;
@@ -42,6 +43,15 @@ public OAuthIntrospectionConfiguration([NotNull] string json)
             PropertyName = OAuthIntrospectionConstants.Metadata.IntrospectionEndpoint)]
         public string IntrospectionEndpoint { get; set; }
 
+        /// <summary>
+        /// Gets the list of authentication methods supported by the introspection endpoint.
+        /// </summary>
+        [JsonProperty(
+            DefaultValueHandling = DefaultValueHandling.Ignore,
+            NullValueHandling = NullValueHandling.Ignore,
+            PropertyName = OAuthIntrospectionConstants.Metadata.IntrospectionEndpointAuthMethodsSupported)]
+        public ISet<string> IntrospectionEndpointAuthMethodsSupported { get; } = new HashSet<string>();
+
         /// <summary>
         /// Represents a configuration retriever able to deserialize
         /// <see cref="OAuthIntrospectionConfiguration"/> instances.

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -30,6 +30,12 @@ public static class ClaimValueTypes
             public const string JsonArray = "JSON_ARRAY";
         }
 
+        public static class ClientAuthenticationMethods
+        {
+            public const string ClientSecretBasic = "client_secret_basic";
+            public const string ClientSecretPost = "client_secret_post";
+        }
+
         public static class Errors
         {
             public const string InsufficientScope = "insufficient_scope";
@@ -40,10 +46,13 @@ public static class Errors
         public static class Metadata
         {
             public const string IntrospectionEndpoint = "introspection_endpoint";
+            public const string IntrospectionEndpointAuthMethodsSupported = "introspection_endpoint_auth_methods_supported";
         }
 
         public static class Parameters
         {
+            public const string ClientId = "client_id";
+            public const string ClientSecret = "client_secret";
             public const string Error = "error";
             public const string ErrorDescription = "error_description";
             public const string ErrorUri = "error_uri";
@@ -68,6 +77,7 @@ public static class Properties
 
         public static class Schemes
         {
+            public const string Basic = "Basic";
             public const string Bearer = "Bearer";
         }
 
@@ -76,7 +86,7 @@ public static class Separators
             public static readonly char[] Space = { ' ' };
         }
 
-        public static class TokenTypes
+        public static class TokenTypeHints
         {
             public const string AccessToken = "access_token";
         }

src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -376,18 +376,39 @@ protected virtual async Task<JObject> GetIntrospectionPayloadAsync(string token)
                                                     "the introspection endpoint address from the discovery document.");
             }
 
-            var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
-
             // Create a new introspection request containing the access token and the client credentials.
             var request = new HttpRequestMessage(HttpMethod.Post, configuration.IntrospectionEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
 
-            request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
+            // Note: always specify the token_type_hint to help
+            // the authorization server make a faster token lookup.
+            var parameters = new Dictionary<string, string>
             {
                 [OAuthIntrospectionConstants.Parameters.Token] = token,
-                [OAuthIntrospectionConstants.Parameters.TokenTypeHint] = OAuthIntrospectionConstants.TokenTypes.AccessToken
-            });
+                [OAuthIntrospectionConstants.Parameters.TokenTypeHint] = OAuthIntrospectionConstants.TokenTypeHints.AccessToken
+            };
+
+            // If the introspection endpoint provided by the authorization server supports
+            // client_secret_post, flow the client credentials as regular OAuth2 parameters.
+            // See https://tools.ietf.org/html/draft-ietf-oauth-discovery-05#section-2
+            // and https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
+            if (configuration.IntrospectionEndpointAuthMethodsSupported.Contains(OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost))
+            {
+                parameters[OAuthIntrospectionConstants.Parameters.ClientId] = Options.ClientId;
+                parameters[OAuthIntrospectionConstants.Parameters.ClientSecret] = Options.ClientSecret;
+            }
+
+            // Otherwise, assume the authorization server only supports basic authentication,
+            // as it's the only authentication method required by the OAuth2 specification.
+            // See https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
+            else
+            {
+                var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
+
+                request.Headers.Authorization = new AuthenticationHeaderValue(OAuthIntrospectionConstants.Schemes.Basic, credentials);
+            }
+
+            request.Content = new FormUrlEncodedContent(parameters);
 
             var notification = new RequestTokenIntrospectionContext(Context, Options, request, token);
             await Options.Events.RequestTokenIntrospection(notification);

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionConfiguration.cs

@@ -5,6 +5,7 @@
  */
 
 using System;
+using System.Collections.Generic;
 using System.Threading;
 using System.Threading.Tasks;
 using JetBrains.Annotations;
@@ -44,6 +45,15 @@ public OAuthIntrospectionConfiguration([NotNull] string json)
             PropertyName = OAuthIntrospectionConstants.Metadata.IntrospectionEndpoint)]
         public string IntrospectionEndpoint { get; set; }
 
+        /// <summary>
+        /// Gets the list of authentication methods supported by the introspection endpoint.
+        /// </summary>
+        [JsonProperty(
+            DefaultValueHandling = DefaultValueHandling.Ignore,
+            NullValueHandling = NullValueHandling.Ignore,
+            PropertyName = OAuthIntrospectionConstants.Metadata.IntrospectionEndpointAuthMethodsSupported)]
+        public ISet<string> IntrospectionEndpointAuthMethodsSupported { get; } = new HashSet<string>();
+
         /// <summary>
         /// Represents a configuration retriever able to deserialize
         /// <see cref="OAuthIntrospectionConfiguration"/> instances.

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionConstants.cs

@@ -30,6 +30,12 @@ public static class ClaimValueTypes
             public const string JsonArray = "JSON_ARRAY";
         }
 
+        public static class ClientAuthenticationMethods
+        {
+            public const string ClientSecretBasic = "client_secret_basic";
+            public const string ClientSecretPost = "client_secret_post";
+        }
+
         public static class Errors
         {
             public const string InsufficientScope = "insufficient_scope";
@@ -46,10 +52,13 @@ public static class Headers
         public static class Metadata
         {
             public const string IntrospectionEndpoint = "introspection_endpoint";
+            public const string IntrospectionEndpointAuthMethodsSupported = "introspection_endpoint_auth_methods_supported";
         }
 
         public static class Parameters
         {
+            public const string ClientId = "client_id";
+            public const string ClientSecret = "client_secret";
             public const string Error = "error";
             public const string ErrorDescription = "error_description";
             public const string ErrorUri = "error_uri";
@@ -74,6 +83,7 @@ public static class Properties
 
         public static class Schemes
         {
+            public const string Basic = "Basic";
             public const string Bearer = "Bearer";
         }
 
@@ -82,7 +92,7 @@ public static class Separators
             public static readonly char[] Space = { ' ' };
         }
 
-        public static class TokenTypes
+        public static class TokenTypeHints
         {
             public const string AccessToken = "access_token";
         }

src/Owin.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs

@@ -365,18 +365,39 @@ protected virtual async Task<JObject> GetIntrospectionPayloadAsync(string token)
                                                     "the introspection endpoint address from the discovery document.");
             }
 
-            var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
-
             // Create a new introspection request containing the access token and the client credentials.
             var request = new HttpRequestMessage(HttpMethod.Post, configuration.IntrospectionEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-            request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
 
-            request.Content = new FormUrlEncodedContent(new Dictionary<string, string>
+            // Note: always specify the token_type_hint to help
+            // the authorization server make a faster token lookup.
+            var parameters = new Dictionary<string, string>
             {
                 [OAuthIntrospectionConstants.Parameters.Token] = token,
-                [OAuthIntrospectionConstants.Parameters.TokenTypeHint] = OAuthIntrospectionConstants.TokenTypes.AccessToken
-            });
+                [OAuthIntrospectionConstants.Parameters.TokenTypeHint] = OAuthIntrospectionConstants.TokenTypeHints.AccessToken
+            };
+
+            // If the introspection endpoint provided by the authorization server supports
+            // client_secret_post, flow the client credentials as regular OAuth2 parameters.
+            // See https://tools.ietf.org/html/draft-ietf-oauth-discovery-05#section-2
+            // and https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
+            if (configuration.IntrospectionEndpointAuthMethodsSupported.Contains(OAuthIntrospectionConstants.ClientAuthenticationMethods.ClientSecretPost))
+            {
+                parameters[OAuthIntrospectionConstants.Parameters.ClientId] = Options.ClientId;
+                parameters[OAuthIntrospectionConstants.Parameters.ClientSecret] = Options.ClientSecret;
+            }
+
+            // Otherwise, assume the authorization server only supports basic authentication,
+            // as it's the only authentication method required by the OAuth2 specification.
+            // See https://tools.ietf.org/html/rfc6749#section-2.3.1 for more information.
+            else
+            {
+                var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
+
+                request.Headers.Authorization = new AuthenticationHeaderValue(OAuthIntrospectionConstants.Schemes.Basic, credentials);
+            }
+
+            request.Content = new FormUrlEncodedContent(parameters);
 
             var notification = new RequestTokenIntrospectionContext(Context, Options, request, token);
             await Options.Events.RequestTokenIntrospection(notification);