Client-Initiated Backchannel Authentication (#17)

* Update nuget packages versions
* Initial CIBA implementation
* Fixed comments and issues found by SonarQube
* Added registration and metadata
* Added use of RequireSignedRequestObject and RequirePushedAuthorizationRequests
* Require redirect_uris only for Authorization Code and Implicit flows
* Add signing algorithms dynamic validation
* Added TokenEndpointAuthMethodValidator

.gitignore

@@ -364,7 +364,7 @@ FodyWeavers.xsd
 /.idea/.idea.Oidc.Server.dir/.idea
 
 .env
-/.idea/.idea.Abblix.Oidc/Docker/
+/.idea/
 /local-npm.cmd
 /local-rebuild.cmd
 /Certificates/myCA/private/Abblix Licensing.pem

Abblix.DependencyInjection/Abblix.DependencyInjection.csproj

@@ -8,7 +8,7 @@
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>
     <PackageId>Abblix.DependencyInjection</PackageId>
     <Title>Abblix DependencyInjection</Title>
-    <Description>Enhances .NET applications by extending the standard dependency injection framework. It supports essential patterns such as service aliasing, composite services, and decorators, simplifying and enhancing service registration and resolution processes.</Description>
+    <Description>Enhances .NET applications by extending the .NET Dependency Injection framework. It supports essential patterns such as service aliasing, composite services and decorators, simplifying and enhancing service registration and resolution processes.</Description>
     <Authors>Abblix LLP</Authors>
     <PackageProjectUrl>https://www.abblix.com/abblix-oidc-server</PackageProjectUrl>
     <RepositoryUrl>https://github.com/Abblix/Oidc.Server</RepositoryUrl>
@@ -20,8 +20,8 @@
     <PackageReleaseNotes>For detailed release notes, visit: https://github.com/Abblix/Oidc.Server/releases</PackageReleaseNotes>
     <PackageIcon>Abblix.png</PackageIcon>
     <PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
-    <AssemblyVersion>1.1.0.0</AssemblyVersion>
-    <FileVersion>1.1.0.0</FileVersion>
+    <AssemblyVersion>1.2.0.0</AssemblyVersion>
+    <FileVersion>1.2.0.0</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>

Abblix.Jwt.UnitTests/Abblix.Jwt.UnitTests.csproj

@@ -10,8 +10,8 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.10.0" />
-        <PackageReference Include="xunit" Version="2.9.0" />
+        <PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
+        <PackageReference Include="xunit" Version="2.9.1" />
         <PackageReference Include="xunit.runner.visualstudio" Version="2.8.2">
             <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
             <PrivateAssets>all</PrivateAssets>

Abblix.Jwt.UnitTests/JwtEncryptionTests.cs

@@ -21,7 +21,6 @@
 // info@abblix.com
 
 using System.Text.Json.Nodes;
-using Abblix.Utils;
 using Microsoft.IdentityModel.Tokens;
 using Xunit;
 

Abblix.Jwt/Abblix.Jwt.csproj

@@ -20,13 +20,13 @@
     <PackageReleaseNotes>For detailed release notes, visit: https://github.com/Abblix/Oidc.Server/releases</PackageReleaseNotes>
     <PackageIcon>Abblix.png</PackageIcon>
     <PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
-    <AssemblyVersion>1.1.0.0</AssemblyVersion>
-    <FileVersion>1.1.0.0</FileVersion>
+    <AssemblyVersion>1.2.0.0</AssemblyVersion>
+    <FileVersion>1.2.0.0</FileVersion>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.6.2" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.1.0" />
     <PackageReference Include="System.Linq.Async" Version="6.0.1" />
   </ItemGroup>
 

Abblix.Jwt/IJsonWebTokenCreator.cs

@@ -30,7 +30,7 @@ public interface IJsonWebTokenCreator
 	/// <summary>
 	/// Lists the all supported signing algorithms for JWT creation.
 	/// </summary>
-	IEnumerable<string> SigningAlgValuesSupported { get; }
+	IEnumerable<string> SignedResponseAlgorithmsSupported { get; }
 
 	/// <summary>
 	/// Issues a new JWT based on the specified JsonWebToken object, signing key, and optional encrypting key.

Abblix.Jwt/IJsonWebTokenValidator.cs

@@ -31,7 +31,7 @@ public interface IJsonWebTokenValidator
 	/// Indicates which algorithms are accepted by the validator for verifying the signatures of incoming JWTs,
 	/// ensuring that only tokens signed with recognized and secure algorithms are considered valid.
 	/// </summary>
-	IEnumerable<string> SigningAlgValuesSupported { get; }
+	IEnumerable<string> SigningAlgorithmsSupported { get; }
 
 	/// <summary>
 	/// Asynchronously validates a JWT against a set of specified parameters.

Abblix.Jwt/JsonWebKeyExtensions.cs

@@ -41,11 +41,7 @@ public static class JsonWebKeyExtensions
 	/// <exception cref="InvalidOperationException">Thrown when the algorithm is not supported.</exception>
 	public static SigningCredentials ToSigningCredentials(this JsonWebKey jsonWebKey)
 	{
-		return jsonWebKey.Algorithm switch
-		{
-			SigningAlgorithms.RS256 => new SigningCredentials(jsonWebKey.ToSecurityKey(), SigningAlgorithms.RS256),
-			_ => throw new InvalidOperationException($"Not supported algorithm: {jsonWebKey.Algorithm}"),
-		};
+		return new SigningCredentials(jsonWebKey.ToSecurityKey(), jsonWebKey.Algorithm);
 	}
 
 	/// <summary>
@@ -68,7 +64,7 @@ public static EncryptingCredentials ToEncryptingCredentials(this JsonWebKey json
 	{
 		return jsonWebKey.Algorithm switch
 		{
-			SigningAlgorithms.RS256 => new EncryptingCredentials(
+			SecurityAlgorithms.RsaSha256 => new EncryptingCredentials(
 				jsonWebKey.ToSecurityKey(),
 				SecurityAlgorithms.RsaOAEP,
 				SecurityAlgorithms.Aes128CbcHmacSha256),

Abblix.Jwt/JsonWebTokenAlgorithms.cs

@@ -20,8 +20,6 @@
 // CONTACT: For license inquiries or permissions, contact Abblix LLP at
 // info@abblix.com
 
-using System.IdentityModel.Tokens.Jwt;
-
 namespace Abblix.Jwt;
 
 internal static class JsonWebTokenAlgorithms
@@ -33,8 +31,24 @@ internal static class JsonWebTokenAlgorithms
     /// for supported algorithms used by both JsonWebTokenCreator and JsonWebTokenValidator classes,
     /// leveraging JwtSecurityTokenHandler under the hood.
     /// </summary>
-    public static readonly IEnumerable<string> SigningAlgValuesSupported =
-        JwtSecurityTokenHandler.DefaultOutboundAlgorithmMap.Values
-            .Append(SigningAlgorithms.None)
-            .ToArray();
+    public static readonly IEnumerable<string> SigningAlgValuesSupported = new[]
+    {
+        SigningAlgorithms.RS256,
+        SigningAlgorithms.RS384,
+        SigningAlgorithms.RS512,
+
+        SigningAlgorithms.PS256,
+        SigningAlgorithms.PS384,
+        SigningAlgorithms.PS512,
+
+        SigningAlgorithms.ES256,
+        SigningAlgorithms.ES384,
+        SigningAlgorithms.ES512,
+
+        SigningAlgorithms.HS256,
+        SigningAlgorithms.HS384,
+        SigningAlgorithms.HS512,
+
+        SigningAlgorithms.None,
+    };
 }

Abblix.Jwt/JsonWebTokenCreator.cs

@@ -40,7 +40,7 @@ public sealed class JsonWebTokenCreator : IJsonWebTokenCreator
     /// This property reflects the JWT security token handler's default outbound algorithm mapping,
     /// indicating the algorithms available for signing the tokens.
     /// </summary>
-    public IEnumerable<string> SigningAlgValuesSupported => JsonWebTokenAlgorithms.SigningAlgValuesSupported;
+    public IEnumerable<string> SignedResponseAlgorithmsSupported => JsonWebTokenAlgorithms.SigningAlgValuesSupported;
 
     /// <summary>
     /// Asynchronously issues a JWT based on the specified JsonWebToken, signing key, and optional encrypting key.
@@ -65,7 +65,7 @@ public Task<string> IssueAsync(
         {
             TokenType = jwt.Header.Type,
             Issuer = jwt.Payload.Issuer,
-            Audience = jwt.Payload.Audiences?.SingleOrDefault(), //TODO replace JwtSecurityTokenHandler with own code to overcome this limitation
+            Audience = jwt.Payload.Audiences.SingleOrDefault(), //TODO replace JwtSecurityTokenHandler with own code to overcome this limitation
 
             IssuedAt = CheckDateOverflow(jwt.Payload.IssuedAt, nameof(jwt.Payload.IssuedAt)),
             NotBefore = CheckDateOverflow(jwt.Payload.NotBefore, nameof(jwt.Payload.NotBefore)),

Abblix.Jwt/JsonWebTokenHeader.cs

@@ -68,7 +68,7 @@ public string? Type
     /// </summary>
     /// <remarks>
     /// The 'alg' parameter identifies the cryptographic algorithm used to secure the JWT.
-    /// Common algorithms include HS256, RS256, and ES256. It is crucial for verifying the JWT's integrity.
+    /// Common algorithms include HS256, RS256, and ES256. It is crucial for verifying the JWT integrity.
     /// </remarks>
     public string? Algorithm
     {

Abblix.Jwt/JsonWebTokenValidator.cs

@@ -38,7 +38,7 @@ public class JsonWebTokenValidator : IJsonWebTokenValidator
     /// by the JwtSecurityTokenHandler for inbound tokens, as well as an option to accept tokens without a signature.
     /// This allows for flexibility in validating JWTs with various security requirements.
     /// </summary>
-    public IEnumerable<string> SigningAlgValuesSupported => JsonWebTokenAlgorithms.SigningAlgValuesSupported;
+    public IEnumerable<string> SigningAlgorithmsSupported => JsonWebTokenAlgorithms.SigningAlgValuesSupported;
 
     /// <summary>
     /// Asynchronously validates a JWT string against specified validation parameters.

Abblix.Jwt/SigningAlgorithms.cs

@@ -27,16 +27,83 @@ namespace Abblix.Jwt;
 /// </summary>
 public static class SigningAlgorithms
 {
+	/// <summary>
+	/// Represents the "none" signing algorithm.
+	/// This value is used when no digital signature or MAC operation is performed on the JWT.
+	/// It is important to use this algorithm with caution as it implies that the JWT is unprotected.
+	/// </summary>
+	public const string None = "none";
+
 	/// <summary>
 	/// Represents the RS256 (RSA Signature with SHA-256) signing algorithm.
 	/// This algorithm is commonly used for creating JWT signatures using RSA keys with SHA-256 hashing.
 	/// </summary>
 	public const string RS256 = "RS256";
 
 	/// <summary>
-	/// Represents the "none" signing algorithm.
-	/// This value is used when no digital signature or MAC operation is performed on the JWT.
-	/// It is important to use this algorithm with caution as it implies that the JWT is unprotected.
+	/// Represents the RS384 (RSA Signature with SHA-384) signing algorithm.
+	/// This algorithm enhances security by using SHA-384 for the hashing process while signing JWTs.
 	/// </summary>
-	public const string None = "none";
+	public const string RS384 = "RS384";
+
+	/// <summary>
+	/// Represents the RS512 (RSA Signature with SHA-512) signing algorithm.
+	/// This algorithm provides a higher level of security by using SHA-512 for signing JWTs.
+	/// </summary>
+	public const string RS512 = "RS512";
+
+	/// <summary>
+	/// Represents the PS256 (RSA PSS Signature with SHA-256) signing algorithm.
+	/// This algorithm is similar to RS256 but uses RSA PSS (Probabilistic Signature Scheme) for improved security.
+	/// </summary>
+	public const string PS256 = "PS256";
+
+	/// <summary>
+	/// Represents the PS384 (RSA PSS Signature with SHA-384) signing algorithm.
+	/// This algorithm enhances security by using SHA-384 in conjunction with RSA PSS for signing.
+	/// </summary>
+	public const string PS384 = "PS384";
+
+	/// <summary>
+	/// Represents the PS512 (RSA PSS Signature with SHA-512) signing algorithm.
+	/// This algorithm offers a higher level of security by using SHA-512 with RSA PSS for signing.
+	/// </summary>
+	public const string PS512 = "PS512";
+
+	/// <summary>
+	/// Represents the ES256 (Elliptic Curve Signature with SHA-256) signing algorithm.
+	/// This algorithm uses the ECDSA (Elliptic Curve Digital Signature Algorithm) with SHA-256 hashing,
+	/// offering a compact signature size and high security, making it suitable for JWT signing.
+	/// </summary>
+	public const string ES256 = "ES256";
+
+	/// <summary>
+	/// Represents the ES384 (Elliptic Curve Signature with SHA-384) signing algorithm.
+	/// This algorithm uses ECDSA with SHA-384, providing enhanced security for signing JWTs.
+	/// </summary>
+	public const string ES384 = "ES384";
+
+	/// <summary>
+	/// Represents the ES512 (Elliptic Curve Signature with SHA-512) signing algorithm.
+	/// This algorithm provides a very high level of security using SHA-512 in ECDSA for JWT signing.
+	/// </summary>
+	public const string ES512 = "ES512";
+
+	/// <summary>
+	/// Represents the HS256 (HMAC with SHA-256) signing algorithm.
+	/// This algorithm uses a shared secret key along with SHA-256 hashing to sign JWTs.
+	/// </summary>
+	public const string HS256 = "HS256";
+
+	/// <summary>
+	/// Represents the HS384 (HMAC with SHA-384) signing algorithm.
+	/// This algorithm enhances security by using SHA-384 for signing JWTs with a shared secret key.
+	/// </summary>
+	public const string HS384 = "HS384";
+
+	/// <summary>
+	/// Represents the HS512 (HMAC with SHA-512) signing algorithm.
+	/// This algorithm provides a higher level of security using SHA-512 with HMAC for signing JWTs.
+	/// </summary>
+	public const string HS512 = "HS512";
 }

Abblix.Jwt/ValidJsonWebToken.cs

@@ -29,7 +29,7 @@ namespace Abblix.Jwt;
 public record ValidJsonWebToken(JsonWebToken Token) : JwtValidationResult
 {
 	/// <summary>
-	/// Gets the successfully validated JsonWebToken.
+	/// The successfully validated JsonWebToken.
 	/// </summary>
 	public JsonWebToken Token { get; } = Token;
 }

Abblix.Oidc.Server.Mvc/Abblix.Oidc.Server.Mvc.csproj

@@ -22,8 +22,8 @@
         <PackageReleaseNotes>For detailed release notes, visit: https://github.com/Abblix/Oidc.Server/releases</PackageReleaseNotes>
         <PackageIcon>Abblix.png</PackageIcon>
         <PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
-        <AssemblyVersion>1.1.0.0</AssemblyVersion>
-        <FileVersion>1.1.0.0</FileVersion>
+        <AssemblyVersion>1.2.0.0</AssemblyVersion>
+        <FileVersion>1.2.0.0</FileVersion>
     </PropertyGroup>
 
     <ItemGroup>
@@ -35,10 +35,6 @@
         <ProjectReference Include="..\Abblix.Jwt\Abblix.Jwt.csproj" />
         <ProjectReference Include="..\Abblix.Oidc.Server\Abblix.Oidc.Server.csproj" />
     </ItemGroup>
-
-    <ItemGroup>
-      <PackageReference Include="Microsoft.CodeAnalysis.CSharp" Version="4.10.0" />
-    </ItemGroup>
 
     <ItemGroup>
         <None Include="..\Abblix.png" Link="Abblix.png" Pack="true" PackagePath="" />