Add strict JAR mode (#4409)

* refactor JwtRequest client to be an interface

* add option for strict JAR validation

* add tests for strict validation

src/Directory.Build.targets

@@ -22,7 +22,7 @@
     <PackageReference Update="xunit.runner.visualstudio" Version="2.4.1" PrivateAssets="All" />
 
     <!--our stuff -->
-    <PackageReference Update="IdentityModel" Version="4.2.0" />
+    <PackageReference Update="IdentityModel" Version="4.3.0" />
 
     <PackageReference Update="IdentityServer4" Version="$(IdentityServerVersion)" />
     <PackageReference Update="IdentityServer4.AspNetIdentity" Version="$(IdentityServerVersion)" />

src/IdentityServer4/src/Configuration/DependencyInjection/BuilderExtensions/Additional.cs

@@ -10,6 +10,7 @@
 using System;
 using System.Net.Http;
 using IdentityServer4;
+using IdentityServer4.Configuration;
 using Microsoft.Extensions.Logging;
 
 namespace Microsoft.Extensions.DependencyInjection
@@ -398,14 +399,15 @@ public static IHttpClientBuilder AddJwtRequestUriHttpClient(this IIdentityServer
                         client.Timeout = TimeSpan.FromSeconds(IdentityServerConstants.HttpClients.DefaultTimeoutSeconds);
                     });
             }
-
-            builder.Services.AddTransient<JwtRequestUriHttpClient>(s =>
+            
+            builder.Services.AddTransient<IJwtRequestUriHttpClient, DefaultJwtRequestUriHttpClient>(s =>
             {
                 var httpClientFactory = s.GetRequiredService<IHttpClientFactory>();
                 var httpClient = httpClientFactory.CreateClient(name);
                 var loggerFactory = s.GetRequiredService<ILoggerFactory>();
+                var options = s.GetRequiredService<IdentityServerOptions>();
 
-                return new JwtRequestUriHttpClient(httpClient, loggerFactory);
+                return new DefaultJwtRequestUriHttpClient(httpClient, options, loggerFactory);
             });
 
             return httpBuilder;

src/IdentityServer4/src/Configuration/DependencyInjection/Options/IdentityServerOptions.cs

@@ -40,6 +40,12 @@ public class IdentityServerOptions
         /// Specifies whether scopes in JWTs are emitted as array or string
         /// </summary>
         public bool EmitScopesAsSpaceDelimitedStringInJwt { get; set; } = false;
+
+        /// <summary>
+        /// Specifies whether the JWT typ and content-type for JWT secured authorization requests is checked according to IETF spec.
+        /// This might break older OIDC conformant request objects.
+        /// </summary>
+        public bool StrictJarValidation { get; set; } = false;
 
         /// <summary>
         /// Gets or sets the endpoint configuration.

src/IdentityServer4/src/Services/Default/JwtRequestUriHttpClient.cs → src/IdentityServer4/src/Services/Default/DefaultJwtRequestUriHttpClient.cs

@@ -2,38 +2,39 @@
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
+using System;
 using IdentityServer4.Models;
 using Microsoft.Extensions.Logging;
 using System.Net.Http;
 using System.Threading.Tasks;
+using IdentityModel;
+using IdentityServer4.Configuration;
 
 namespace IdentityServer4.Services
 {
     /// <summary>
-    /// Models making HTTP requests for JWTs from the authorize endpoint.
+    /// Default JwtRequest client
     /// </summary>
-    public class JwtRequestUriHttpClient
+    public class DefaultJwtRequestUriHttpClient : IJwtRequestUriHttpClient
     {
         private readonly HttpClient _client;
-        private readonly ILogger<JwtRequestUriHttpClient> _logger;
+        private readonly IdentityServerOptions _options;
+        private readonly ILogger<DefaultJwtRequestUriHttpClient> _logger;
 
         /// <summary>
-        /// Constructor for DefaultJwtRequestUriHttpClient.
+        /// ctor
         /// </summary>
-        /// <param name="client"></param>
-        /// <param name="loggerFactory"></param>
-        public JwtRequestUriHttpClient(HttpClient client, ILoggerFactory loggerFactory)
+        /// <param name="client">An HTTP client</param>
+        /// <param name="loggerFactory">The logger factory</param>
+        public DefaultJwtRequestUriHttpClient(HttpClient client, IdentityServerOptions options, ILoggerFactory loggerFactory)
         {
             _client = client;
-            _logger = loggerFactory.CreateLogger<JwtRequestUriHttpClient>();
+            _options = options;
+            _logger = loggerFactory.CreateLogger<DefaultJwtRequestUriHttpClient>();
         }
 
-        /// <summary>
-        /// Gets a JWT from the url.
-        /// </summary>
-        /// <param name="url"></param>
-        /// <param name="client"></param>
-        /// <returns></returns>
+
+        /// <inheritdoc />
         public async Task<string> GetJwtAsync(string url, Client client)
         {
             var req = new HttpRequestMessage(HttpMethod.Get, url);
@@ -42,16 +43,23 @@ public async Task<string> GetJwtAsync(string url, Client client)
             var response = await _client.SendAsync(req);
             if (response.StatusCode == System.Net.HttpStatusCode.OK)
             {
-                _logger.LogDebug("Success http response from jwt url {url}", url);
+                if (_options.StrictJarValidation)
+                {
+                    if (!string.Equals(response.Content.Headers.ContentType.MediaType,
+                        $"application/{JwtClaimTypes.JwtTypes.AuthorizationRequest}", StringComparison.Ordinal))
+                    {
+                        _logger.LogError("Invalid content type {type} from jwt url {url}", response.Content.Headers.ContentType.MediaType, url);
+                        return null;
+                    }
+                }
 
-                // todo: check for content-type of "application/oauth.authz.req+jwt"?
-                // this might break OIDC's 
+                _logger.LogDebug("Success http response from jwt url {url}", url);
+
                 var json = await response.Content.ReadAsStringAsync();
                 return json;
             }
 
             _logger.LogError("Invalid http status code {status} from jwt url {url}", response.StatusCode, url);
-
             return null;
         }
     }

src/IdentityServer4/src/Services/IJwtRequestUriHttpClient.cs

@@ -0,0 +1,19 @@
+using System.Threading.Tasks;
+using IdentityServer4.Models;
+
+namespace IdentityServer4.Services
+{
+    /// <summary>
+    /// Models making HTTP requests for JWTs from the authorize endpoint.
+    /// </summary>
+    public interface IJwtRequestUriHttpClient
+    {
+        /// <summary>
+        /// Gets a JWT from the url.
+        /// </summary>
+        /// <param name="url"></param>
+        /// <param name="client"></param>
+        /// <returns></returns>
+        Task<string> GetJwtAsync(string url, Client client);
+    }
+}

src/IdentityServer4/src/Validation/Default/AuthorizeRequestValidator.cs

@@ -27,7 +27,7 @@ internal class AuthorizeRequestValidator : IAuthorizeRequestValidator
         private readonly IResourceValidator _resourceValidator;
         private readonly IUserSession _userSession;
         private readonly JwtRequestValidator _jwtRequestValidator;
-        private readonly JwtRequestUriHttpClient _jwtRequestUriHttpClient;
+        private readonly IJwtRequestUriHttpClient _jwtRequestUriHttpClient;
         private readonly ILogger _logger;
 
         private readonly ResponseTypeEqualityComparer
@@ -41,7 +41,7 @@ public AuthorizeRequestValidator(
             IResourceValidator resourceValidator,
             IUserSession userSession,
             JwtRequestValidator jwtRequestValidator,
-            JwtRequestUriHttpClient jwtRequestUriHttpClient,
+            IJwtRequestUriHttpClient jwtRequestUriHttpClient,
             ILogger<AuthorizeRequestValidator> logger)
         {
             _options = options;

src/IdentityServer4/src/Validation/Default/JwtRequestValidator.cs

@@ -8,6 +8,7 @@
 using System.Linq;
 using System.Threading.Tasks;
 using IdentityModel;
+using IdentityServer4.Configuration;
 using IdentityServer4.Extensions;
 using IdentityServer4.Models;
 using Microsoft.AspNetCore.Http;
@@ -56,13 +57,20 @@ protected string AudienceUri
         /// The logger
         /// </summary>
         protected readonly ILogger Logger;
+
+        /// <summary>
+        /// The optione
+        /// </summary>
+        protected readonly IdentityServerOptions Options;
 
         /// <summary>
         /// Instantiates an instance of private_key_jwt secret validator
         /// </summary>
-        public JwtRequestValidator(IHttpContextAccessor contextAccessor, ILogger<JwtRequestValidator> logger)
+        public JwtRequestValidator(IHttpContextAccessor contextAccessor, IdentityServerOptions options, ILogger<JwtRequestValidator> logger)
         {
             _httpContextAccessor = contextAccessor;
+
+            Options = options;
             Logger = logger;
         }
 
@@ -169,10 +177,13 @@ protected virtual Task<JwtSecurityToken> ValidateJwtAsync(string jwtTokenString,
                 RequireExpirationTime = true
             };
 
+            if (Options.StrictJarValidation)
+            {
+                tokenValidationParameters.ValidTypes = new[] { JwtClaimTypes.JwtTypes.AuthorizationRequest };
+            }
+
             Handler.ValidateToken(jwtTokenString, tokenValidationParameters, out var token);
 
-            // todo: add validation for "typ" header
-
             return Task.FromResult((JwtSecurityToken)token);
         }