aspnet-contrib
diff --git a/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConfiguration.cs‎
Lines changed: 69 additions & 0 deletions b/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionConfiguration.cs‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs‎
Lines changed: 8 additions & 42 deletions b/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs‎
Lines changed: 8 additions & 42 deletions
diff --git a/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs‎
Lines changed: 59 additions & 8 deletions b/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionMiddleware.cs‎
Lines changed: 59 additions & 8 deletions
diff --git a/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs‎
Lines changed: 34 additions & 10 deletions b/‎src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionOptions.cs‎
Lines changed: 34 additions & 10 deletions
diff --git a/‎src/AspNet.Security.OAuth.Introspection/project.json‎
Lines changed: 3 additions & 2 deletions b/‎src/AspNet.Security.OAuth.Introspection/project.json‎
Lines changed: 3 additions & 2 deletions
@@ -0,0 +1,69 @@
+using System;
+using System.Threading;
+using System.Threading.Tasks;
+using JetBrains.Annotations;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
+using Newtonsoft.Json;
+
+namespace AspNet.Security.OAuth.Introspection
+{
+    /// <summary>
+    /// Represents an OAuth2 introspection configuration.
+    /// </summary>
+    [JsonObject(MemberSerialization = MemberSerialization.OptIn)]
+    public class OAuthIntrospectionConfiguration : OpenIdConnectConfiguration
+    {
+        /// <summary>
+        /// Initializes a new instance of the <see cref="OAuthIntrospectionConfiguration"/> class.
+        /// </summary>
+        public OAuthIntrospectionConfiguration()
+            : base() { }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="OAuthIntrospectionConfiguration"/> class.
+        /// </summary>
+        /// <param name="json">The JSON payload used to initialize the current instance.</param>
+        public OAuthIntrospectionConfiguration([NotNull] string json)
+            : base(json) { }
+
+        /// <summary>
+        /// Gets or sets the introspection endpoint address.
+        /// </summary>
+        [JsonProperty(
+            DefaultValueHandling = DefaultValueHandling.Ignore,
+            NullValueHandling = NullValueHandling.Ignore,
+            PropertyName = OAuthIntrospectionConstants.Metadata.IntrospectionEndpoint)]
+        public string IntrospectionEndpoint { get; set; }
+
+        /// <summary>
+        /// Represents a configuration retriever able to deserialize
+        /// <see cref="OAuthIntrospectionConfiguration"/> instances.
+        /// </summary>
+        public class Retriever : IConfigurationRetriever<OAuthIntrospectionConfiguration>
+        {
+            /// <summary>
+            /// Retrieves the OAuth2 introspection configuration from the specified address.
+            /// </summary>
+            /// <param name="address">The address of the discovery document.</param>
+            /// <param name="retriever">The object used to retrieve the discovery document.</param>
+            /// <param name="cancellationToken">The <see cref="CancellationToken"/> that can be used to abort the operation.</param>
+            /// <returns>An <see cref="OAuthIntrospectionConfiguration"/> instance.</returns>
+            public async Task<OAuthIntrospectionConfiguration> GetConfigurationAsync(
+                [NotNull] string address, [NotNull] IDocumentRetriever retriever, CancellationToken cancellationToken)
+            {
+                if (string.IsNullOrEmpty(address))
+                {
+                    throw new ArgumentException("The address cannot be null or empty.", nameof(address));
+                }
+
+                if (retriever == null)
+                {
+                    throw new ArgumentNullException(nameof(retriever));
+                }
+
+                return new OAuthIntrospectionConfiguration(await retriever.GetDocumentAsync(address, cancellationToken));
+            }
+        }
+    }
+}
@@ -359,59 +359,25 @@ protected override async Task<bool> HandleUnauthorizedAsync(ChallengeContext con
             return false;
         }
 
-        protected virtual async Task<string> ResolveIntrospectionEndpointAsync(string issuer)
-        {
-            if (issuer.EndsWith("/"))
-            {
-                issuer = issuer.Substring(0, issuer.Length - 1);
-            }
-
-            // Create a new discovery request containing the access token and the client credentials.
-            var request = new HttpRequestMessage(HttpMethod.Get, issuer + "/.well-known/openid-configuration");
-            request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
-
-            var response = await Options.HttpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
-            if (!response.IsSuccessStatusCode)
-            {
-                Logger.LogError("An error occurred when retrieving the issuer metadata: the remote server " +
-                                "returned a {Status} response with the following payload: {Headers} {Body}.",
-                                /* Status: */ response.StatusCode,
-                                /* Headers: */ response.Headers.ToString(),
-                                /* Body: */ await response.Content.ReadAsStringAsync());
-
-                return null;
-            }
-
-            var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
-
-            var address = payload[OAuthIntrospectionConstants.Metadata.IntrospectionEndpoint];
-            if (address == null)
-            {
-                return null;
-            }
-
-            return (string) address;
-        }
-
         protected virtual async Task<JObject> GetIntrospectionPayloadAsync(string token)
         {
-            // Note: updating the options during a request is not thread safe but is harmless in this case:
-            // in the worst case, it will only send multiple configuration requests to the authorization server.
-            if (string.IsNullOrEmpty(Options.IntrospectionEndpoint))
+            var configuration = await Options.ConfigurationManager.GetConfigurationAsync(Context.RequestAborted);
+            if (configuration == null)
             {
-                Options.IntrospectionEndpoint = await ResolveIntrospectionEndpointAsync(Options.Authority);
+                throw new InvalidOperationException("The OAuth2 introspection middleware was unable to retrieve " +
+                                                    "the provider configuration from the OAuth2 authorization server.");
             }
 
-            if (string.IsNullOrEmpty(Options.IntrospectionEndpoint))
+            if (string.IsNullOrEmpty(configuration.IntrospectionEndpoint))
             {
                 throw new InvalidOperationException("The OAuth2 introspection middleware was unable to retrieve " +
-                                                    "the provider configuration from the OAuth2 authorization server.");
+                                                    "the introspection endpoint address from the discovery document.");
             }
 
             var credentials = Convert.ToBase64String(Encoding.ASCII.GetBytes($"{Options.ClientId}:{Options.ClientSecret}"));
 
             // Create a new introspection request containing the access token and the client credentials.
-            var request = new HttpRequestMessage(HttpMethod.Post, Options.IntrospectionEndpoint);
+            var request = new HttpRequestMessage(HttpMethod.Post, configuration.IntrospectionEndpoint);
             request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
             request.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);
 
@@ -427,7 +393,7 @@ protected virtual async Task<JObject> GetIntrospectionPayloadAsync(string token)
             var response = await Options.HttpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
             if (!response.IsSuccessStatusCode)
             {
-                Logger.LogError("An error occurred when validating an access token: the remote server " +
+                Logger.LogError("An error occurred while validating an access token: the remote server " +
                                 "returned a {Status} response with the following payload: {Headers} {Body}.",
                                 /* Status: */ response.StatusCode,
                                 /* Headers: */ response.Headers.ToString(),
 
@@ -14,6 +14,8 @@
 using Microsoft.Extensions.Caching.Distributed;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Protocols;
+using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 
 namespace AspNet.Security.OAuth.Introspection
 {
@@ -28,14 +30,7 @@ public OAuthIntrospectionMiddleware(
             [NotNull] IDataProtectionProvider dataProtectionProvider)
             : base(next, options, loggerFactory, encoder)
         {
-            if (string.IsNullOrEmpty(Options.Authority) &&
-                string.IsNullOrEmpty(Options.IntrospectionEndpoint))
-            {
-                throw new ArgumentException("The authority or the introspection endpoint must be configured.", nameof(options));
-            }
-
-            if (string.IsNullOrEmpty(Options.ClientId) ||
-                string.IsNullOrEmpty(Options.ClientSecret))
+            if (string.IsNullOrEmpty(Options.ClientId) || string.IsNullOrEmpty(Options.ClientSecret))
             {
                 throw new ArgumentException("Client credentials must be configured.", nameof(options));
             }
@@ -74,6 +69,62 @@ public OAuthIntrospectionMiddleware(
 
                 Options.HttpClient.DefaultRequestHeaders.UserAgent.ParseAdd("ASP.NET Core OAuth2 introspection middleware");
             }
+
+            if (Options.ConfigurationManager == null)
+            {
+                if (Options.Configuration != null)
+                {
+                    if (string.IsNullOrEmpty(Options.Configuration.IntrospectionEndpoint))
+                    {
+                        throw new ArgumentException("The introspection endpoint address cannot be null or empty.", nameof(options));
+                    }
+
+                    Options.ConfigurationManager = new StaticConfigurationManager<OAuthIntrospectionConfiguration>(Options.Configuration);
+                }
+
+                else
+                {
+                    if (Options.Authority == null && Options.MetadataAddress == null)
+                    {
+                        throw new ArgumentException("The authority or an absolute metadata endpoint address must be provided.", nameof(options));
+                    }
+
+                    if (Options.MetadataAddress == null)
+                    {
+                        Options.MetadataAddress = new Uri(".well-known/openid-configuration", UriKind.Relative);
+                    }
+
+                    if (!Options.MetadataAddress.IsAbsoluteUri)
+                    {
+                        if (Options.Authority == null || !Options.Authority.IsAbsoluteUri)
+                        {
+                            throw new ArgumentException("The authority must be provided and must be an absolute URL.", nameof(options));
+                        }
+
+                        if (!string.IsNullOrEmpty(Options.Authority.Fragment) || !string.IsNullOrEmpty(Options.Authority.Query))
+                        {
+                            throw new ArgumentException("The authority cannot contain a fragment or a query string.", nameof(options));
+                        }
+
+                        if (!Options.Authority.OriginalString.EndsWith("/"))
+                        {
+                            Options.Authority = new Uri(Options.Authority.OriginalString + "/", UriKind.Absolute);
+                        }
+
+                        Options.MetadataAddress = new Uri(Options.Authority, Options.MetadataAddress);
+                    }
+
+                    if (Options.RequireHttpsMetadata && !Options.MetadataAddress.Scheme.Equals("https", StringComparison.OrdinalIgnoreCase))
+                    {
+                        throw new ArgumentException("The metadata endpoint address must be a HTTPS URL when " +
+                                                    "'RequireHttpsMetadata' is not set to 'false'.", nameof(options));
+                    }
+
+                    Options.ConfigurationManager = new ConfigurationManager<OAuthIntrospectionConfiguration>(
+                        Options.MetadataAddress.AbsoluteUri, new OAuthIntrospectionConfiguration.Retriever(),
+                        new HttpDocumentRetriever(Options.HttpClient) { RequireHttps = Options.RequireHttpsMetadata });
+                }
+            }
         }
 
         protected override AuthenticationHandler<OAuthIntrospectionOptions> CreateHandler()
 
@@ -4,13 +4,15 @@
  * concerning the license and the contributors participating to this project.
  */
 
+using System;
 using System.Collections.Generic;
 using System.Net.Http;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Http.Authentication;
 using Microsoft.Extensions.Caching.Distributed;
+using Microsoft.IdentityModel.Protocols;
 
 namespace AspNet.Security.OAuth.Introspection
 {
@@ -24,21 +26,37 @@ public OAuthIntrospectionOptions()
         }
 
         /// <summary>
-        /// Gets the intended audiences of this resource server.
-        /// Setting this property is recommended when the authorization
-        /// server issues access tokens for multiple distinct resource servers.
+        /// Gets or sets the absolute URL of the OAuth2/OpenID Connect server.
+        /// Note: this property is ignored when <see cref="Configuration"/>
+        /// or <see cref="ConfigurationManager"/> are set.
         /// </summary>
-        public ISet<string> Audiences { get; } = new HashSet<string>();
+        public Uri Authority { get; set; }
 
         /// <summary>
-        /// Gets or sets the base address of the OAuth2/OpenID Connect server.
+        /// Gets or sets the URL of the OAuth2/OpenID Connect server discovery endpoint.
+        /// When the URL is relative, <see cref="Authority"/> must be set and absolute.
+        /// Note: this property is ignored when <see cref="Configuration"/>
+        /// or <see cref="ConfigurationManager"/> are set.
         /// </summary>
-        public string Authority { get; set; }
+        public Uri MetadataAddress { get; set; }
 
         /// <summary>
-        /// Gets or sets the address of the introspection endpoint.
+        /// Gets or sets a boolean indicating whether HTTPS is required to retrieve the metadata document.
+        /// The default value is <c>true</c>. This option should be used only in development environments.
+        /// Note: this property is ignored when <see cref="Configuration"/> or <see cref="ConfigurationManager"/> are set.
         /// </summary>
-        public string IntrospectionEndpoint { get; set; }
+        public bool RequireHttpsMetadata { get; set; } = true;
+
+        /// <summary>
+        /// Gets or sets the configuration used by the introspection middleware.
+        /// Note: this property is ignored when <see cref="ConfigurationManager"/> is set.
+        /// </summary>
+        public OAuthIntrospectionConfiguration Configuration { get; set; }
+
+        /// <summary>
+        /// Gets or sets the configuration manager used by the introspection middleware.
+        /// </summary>
+        public IConfigurationManager<OAuthIntrospectionConfiguration> ConfigurationManager { get; set; }
 
         /// <summary>
         /// Gets or sets the client identifier representing the resource server.
@@ -57,6 +75,13 @@ public OAuthIntrospectionOptions()
         /// </summary>
         public string Realm { get; set; }
 
+        /// <summary>
+        /// Gets the intended audiences of this resource server.
+        /// Setting this property is recommended when the authorization
+        /// server issues access tokens for multiple distinct resource servers.
+        /// </summary>
+        public ISet<string> Audiences { get; } = new HashSet<string>();
+
         /// <summary>
         /// Gets or sets a boolean determining whether the access token should be stored in the
         /// <see cref="AuthenticationProperties"/> after a successful authentication process.
@@ -84,8 +109,7 @@ public OAuthIntrospectionOptions()
         public OAuthIntrospectionEvents Events { get; set; } = new OAuthIntrospectionEvents();
 
         /// <summary>
-        /// Gets or sets the HTTP client used to communicate
-        /// with the remote OAuth2/OpenID Connect server.
+        /// Gets or sets the HTTP client used to communicate with the remote OAuth2 server.
         /// </summary>
         public HttpClient HttpClient { get; set; }
 
 
@@ -35,19 +35,20 @@
     "JetBrains.Annotations": { "type": "build", "version": "10.1.4" },
     "Microsoft.AspNetCore.Authentication": "1.0.0",
     "Microsoft.Extensions.Caching.Abstractions": "1.0.0",
+    "Microsoft.IdentityModel.Protocols.OpenIdConnect": "2.0.0",
     "Newtonsoft.Json": "9.0.1"
   },
 
   "frameworks": {
     "net451": { },
 
-    "netstandard1.3": {
+    "netstandard1.4": {
       "dependencies": {
         "System.Dynamic.Runtime": "4.0.11"
       },
 
       "imports": [
-        "dotnet5.4",
+        "dotnet5.5",
         "portable-net451+win8"
       ]
     }