Merge pull request #27 from JoeShook/main

.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "dotnet-ef": {
-      "version": "8.0.4",
+      "version": "8.0.5",
       "commands": [
         "dotnet-ef"
       ]

Directory.Packages.props

@@ -5,18 +5,18 @@
   <ItemGroup>
     <!-- https://learn.microsoft.com/en-us/nuget/concepts/package-versioning#version-ranges -->
     <PackageVersion Include="Duende.IdentityServer.Storage" Version="6.3.7" />
-    <PackageVersion Include="Google.Apis.Auth" Version="1.67.0" />
+    <PackageVersion Include="Google.Apis.Auth" Version="1.68.0" />
     <PackageVersion Include="LazyCache" Version="2.4.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.3" />
     <PackageVersion Include="AspNetCoreRateLimit" Version="5.0.0" />
-    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.3.0" />
-    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.2" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.2" />
-    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.4" />
+    <PackageVersion Include="Hl7.Fhir.Specification.R4B" Version="5.8.1" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="8.0.5" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.Abstractions" Version="8.0.5" />
+    <PackageVersion Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="8.0.5" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="8.0.1" />
-    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.5.1" />
-    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="7.5.1" />
+    <PackageVersion Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="7.5.2" />
+    <PackageVersion Include="Microsoft.IdentityModel.Tokens" Version="7.5.2" />
     <PackageVersion Include="MSTest.TestAdapter" Version="3.1.1" />
     <PackageVersion Include="MSTest.TestFramework" Version="3.1.1" />
     <PackageVersion Include="IdentityModel" Version="7.0.0" />
@@ -27,28 +27,28 @@
     <PackageVersion Include="Duende.IdentityServer.EntityFramework.Storage" Version="7.0.4" />
     <PackageVersion Include="IdentityModel.AspNetCore.OAuth2Introspection" Version="6.2.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc" Version="2.2.0" />
-    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.4" />
+    <PackageVersion Include="Microsoft.EntityFrameworkCore" Version="8.0.5" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Design" Version="[7.0.13,8.0.1]" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer" Version="[7.0.13,8.0.0]" />
-    <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.19.6" />
+    <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.20.1" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite" Version="[7.0.14,8.0.1]" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="[6.0.0,7.0.0]" />
     <PackageVersion Include="Microsoft.Extensions.Configuration" Version="8.0.0" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="[6.0.0,7.0.1]" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="8.0.2" />
     <PackageVersion Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="8.0.0" />
-    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.5.1" />
-    <PackageVersion Include="OpenTelemetry" Version="1.7.0" />
-    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.7.0" />
-    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.7.0" />
-    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.7.0" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.7.0" />
-    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.7.0" />
+    <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="7.5.2" />
+    <PackageVersion Include="OpenTelemetry" Version="1.8.1" />
+    <PackageVersion Include="OpenTelemetry.Exporter.Console" Version="1.8.1" />
+    <PackageVersion Include="OpenTelemetry.Exporter.OpenTelemetryProtocol" Version="1.8.1" />
+    <PackageVersion Include="OpenTelemetry.Extensions.Hosting" Version="1.8.1" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.8.1" />
+    <PackageVersion Include="OpenTelemetry.Instrumentation.Http" Version="1.8.1" />
     <PackageVersion Include="OpenTelemetry.Instrumentation.SqlClient" Version="1.0.0-rc9.14" />
     <PackageVersion Include="Serilog.AspNetCore" Version="[6.1.0,7.0.0]" />
     <PackageVersion Include="Serilog.Extensions.Logging" Version="[3.1.0,7.0.0]" />
     <PackageVersion Include="Portable.BouncyCastle" Version="1.9.0" />
-    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.5.1" />
+    <PackageVersion Include="System.IdentityModel.Tokens.Jwt" Version="7.5.2" />
     <PackageVersion Include="Udap.Metadata.Server" Version="0.3.24" />
     <PackageVersion Include="Yarp.ReverseProxy" Version="2.1.0" />
   </ItemGroup>

Udap.Metadata.Server/Configuration/DependencyInjection/ServiceCollectionExtensions.cs

@@ -21,7 +21,7 @@
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using System.Net.Http;
+using Hl7.Fhir.Utility;
 using Udap.Common;
 using Udap.Common.Certificates;
 using Udap.Common.Extensions;
@@ -126,7 +126,7 @@ public static IApplicationBuilder UseUdapMetadataServer(this WebApplication app,
     {
         EnsureMvcControllerUnloads(app);
 
-        app.MapGet($"/{prefixRoute}{UdapConstants.Discovery.DiscoveryEndpoint}",
+        app.MapGet($"/{prefixRoute?.EnsureTrailingSlash().RemovePrefix("/")}{UdapConstants.Discovery.DiscoveryEndpoint}",
                 async (
                     [FromServices] UdapMetaDataEndpoint endpoint,
                     HttpContext httpContext,
@@ -136,13 +136,13 @@ public static IApplicationBuilder UseUdapMetadataServer(this WebApplication app,
             .Produces(StatusCodes.Status200OK)
             .Produces(StatusCodes.Status404NotFound); // community doesn't exist
 
-        app.MapGet($"/{prefixRoute}{UdapConstants.Discovery.DiscoveryEndpoint}/communities",
+        app.MapGet($"/{prefixRoute?.EnsureTrailingSlash().RemovePrefix("/")}{UdapConstants.Discovery.DiscoveryEndpoint}/communities",
                 ([FromServices] UdapMetaDataEndpoint endpoint) => endpoint.GetCommunities())
             .AllowAnonymous()
             .Produces(StatusCodes.Status200OK)
             .Produces(StatusCodes.Status404NotFound); // community doesn't exist
 
-        app.MapGet($"/{prefixRoute}{UdapConstants.Discovery.DiscoveryEndpoint}/communities/ashtml",
+        app.MapGet($"/{prefixRoute?.EnsureTrailingSlash().RemovePrefix("/")}{UdapConstants.Discovery.DiscoveryEndpoint}/communities/ashtml",
                 (
                     [FromServices] UdapMetaDataEndpoint endpoint,
                     HttpContext httpContext) => endpoint.GetCommunitiesAsHtml(httpContext))
@@ -156,7 +156,7 @@ public static IApplicationBuilder UseUdapMetadataServer(this WebApplication app,
     public static IApplicationBuilder UseUdapMetadataServer(this IApplicationBuilder app, string? prefixRoute = null)
     {
 
-        app.Map($"/{prefixRoute}{UdapConstants.Discovery.DiscoveryEndpoint}", path =>
+        app.Map($"/{prefixRoute?.EnsureTrailingSlash().RemovePrefix("/")}{UdapConstants.Discovery.DiscoveryEndpoint}", path =>
         {
             path.Run(async ctx =>
             {

Udap.Metadata.Server/UdapMetaDataEndpoint.cs

@@ -42,7 +42,6 @@ public IResult GetCommunities()
         return Results.Ok(_metaDataBuilder.GetCommunities());
     }
 
-
     public IResult GetCommunitiesAsHtml(HttpContext httpContext)
     {
         var html = _metaDataBuilder.GetCommunitiesAsHtml(httpContext.Request.GetDisplayUrl().GetBaseUrlFromMetadataUrl());

Udap.Model/Access/AccessTokenRequestForAuthorizationCodeBuilder.cs

@@ -67,21 +67,13 @@ public AccessTokenRequestForAuthorizationCodeBuilder WithClaim(Claim claim)
     }
 
     /// <summary>
-    /// Legacy refers to the current udap.org/UDAPTestTool behavior as documented in
-    /// udap.org profiles.  The HL7 Security IG has the following constraint to make it
-    /// more friendly with OIDC and SMART launch frameworks.
-    /// sub == iss == client_id
-    /// Where as the Legacy is the following behavior
-    /// sub == iis == SubAlt Name
+    /// Build an <see cref="UdapAuthorizationCodeTokenRequest"/>
     /// </summary>
-    /// <param name="legacy"></param>
     /// <param name="algorithm"></param>
     /// <returns></returns>
-    public UdapAuthorizationCodeTokenRequest Build(
-        bool legacy = false,
-        string? algorithm = UdapConstants.SupportedAlgorithm.RS256)
+    public UdapAuthorizationCodeTokenRequest Build(string? algorithm = UdapConstants.SupportedAlgorithm.RS256)
     {
-        var clientAssertion = BuildClientAssertion(algorithm, legacy);
+        var clientAssertion = BuildClientAssertion(algorithm);
 
         return new UdapAuthorizationCodeTokenRequest()
         {
@@ -99,34 +91,18 @@ public UdapAuthorizationCodeTokenRequest Build(
         };
     }
 
-    private string? BuildClientAssertion(string algorithm, bool legacy = false)
+    private string? BuildClientAssertion(string algorithm)
     {
         JwtPayLoadExtension jwtPayload;
 
-        if (legacy)
-        {
-            //udap.org profile
-            jwtPayload = new JwtPayLoadExtension(
-                _certificate.GetNameInfo(X509NameType.UrlName,
-                    false), //TODO:: Let user pick the subject alt name.  Create will need extra param.
-                _tokenEndpoint, //The FHIR Authorization Server's token endpoint URL
-                _claims,
-                _now,
-                _now.AddMinutes(5)
-            );
-        }
-
-        else
-        {
-            //HL7 FHIR IG profile
-            jwtPayload = new JwtPayLoadExtension(
-                _clientId,
-                _tokenEndpoint, //The FHIR Authorization Server's token endpoint URL
-                _claims,
-                _now,
-                _now.AddMinutes(5)
-            );
-        }
+        //HL7 FHIR IG profile
+        jwtPayload = new JwtPayLoadExtension(
+            _clientId,
+            _tokenEndpoint, //The FHIR Authorization Server's token endpoint URL
+            _claims,
+            _now,
+            _now.AddMinutes(5)
+        );
 
         return SignedSoftwareStatementBuilder<JwtPayLoadExtension>
             .Create(_certificate, jwtPayload)

Udap.Model/Access/AccessTokenRequestForClientCredentialsBuilder.cs

@@ -91,21 +91,13 @@ public AccessTokenRequestForClientCredentialsBuilder WithExtension(string key, B
     }
 
     /// <summary>
-    /// Legacy refers to the current udap.org/UDAPTestTool behavior as documented in
-    /// udap.org profiles.  The HL7 Security IG has the following constraint to make it
-    /// more friendly with OIDC and SMART launch frameworks.
-    /// sub == iss == client_id
-    /// Where as the Legacy is the following behavior
-    /// sub == iis == SubAlt Name
+    /// Build an <see cref="UdapClientCredentialsTokenRequest"/>
     /// </summary>
-    /// <param name="legacy"></param>
     /// <param name="algorithm"></param>
     /// <returns></returns>
-    public UdapClientCredentialsTokenRequest Build(
-        bool legacy = false, 
-        string? algorithm = UdapConstants.SupportedAlgorithm.RS256)
+    public UdapClientCredentialsTokenRequest Build(string? algorithm = UdapConstants.SupportedAlgorithm.RS256)
     {
-        var clientAssertion = BuildClientAssertion(algorithm, legacy);
+        var clientAssertion = BuildClientAssertion(algorithm);
 
         return new UdapClientCredentialsTokenRequest
         {
@@ -122,34 +114,18 @@ public UdapClientCredentialsTokenRequest Build(
     }
 
 
-    private string BuildClientAssertion(string algorithm, bool legacy = false)
+    private string BuildClientAssertion(string algorithm)
     {
         JwtPayLoadExtension jwtPayload;
-
-        if (legacy)
-        {
-            //udap.org profile
-            jwtPayload = new JwtPayLoadExtension(
-                _certificate.GetNameInfo(X509NameType.UrlName,
-                    false), //TODO:: Let user pick the subject alt name.  Create will need extra param.
-                _tokenEndoint, //The FHIR Authorization Server's token endpoint URL
-                _claims,
-                _now,
-                _now.AddMinutes(5)
-            );
-        }
-
-        else
-        {
-            //HL7 FHIR IG profile
-            jwtPayload = new JwtPayLoadExtension(
-                _clientId, //TODO:: Let user pick the subject alt name.  Create will need extra param.
-                _tokenEndoint, //The FHIR Authorization Server's token endpoint URL
-                _claims,
-                _now,
-                _now.AddMinutes(5)
-            );
-        }
+
+        //HL7 FHIR IG profile
+        jwtPayload = new JwtPayLoadExtension(
+            _clientId, //TODO:: Let user pick the subject alt name.  Create will need extra param.
+            _tokenEndoint, //The FHIR Authorization Server's token endpoint URL
+            _claims,
+            _now,
+            _now.AddMinutes(5)
+        );
 
         if (_extensions != null)
         {

Udap.Model/Statement/SignedSoftwareStatementBuilder.cs

@@ -40,19 +40,18 @@ public static SignedSoftwareStatementBuilder<T> Create(X509Certificate2 certific
     // we could add more builder methods
     //
 
-    public string Build(string? algorithm = UdapConstants.SupportedAlgorithm.RS256)
+    public string Build(string? algorithm = null)
     {
-        algorithm ??= UdapConstants.SupportedAlgorithm.RS256;
-
 #if NET5_0_OR_GREATER
         //
         // Short circuit to ECDSA
         //
         if (_certificate.GetECDsaPublicKey() != null)
         {
-            return BuildECDSA();
+            return BuildECDSA(algorithm);
         }
 #endif
+        algorithm ??= UdapConstants.SupportedAlgorithm.RS256;
         var securityKey = new X509SecurityKey(_certificate);
         var signingCredentials = new SigningCredentials(securityKey, algorithm);
 
@@ -75,11 +74,9 @@ public string Build(string? algorithm = UdapConstants.SupportedAlgorithm.RS256)
 
 #if NET5_0_OR_GREATER
 
-    public string BuildECDSA(string? algorithm = UdapConstants.SupportedAlgorithm.ES384)
+    public string BuildECDSA(string? algorithm = null)
     {
-
-        algorithm ??= UdapConstants.SupportedAlgorithm.ES384;
-
+        algorithm ??= UdapConstants.SupportedAlgorithm.ES256;
         var key = _certificate.GetECDsaPrivateKey();
         using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP384);
 

Udap.Server/Configuration/DependencyInjection/UdapBuilderExtensions/UdapCore.cs

@@ -116,7 +116,7 @@ public static IUdapServiceBuilder AddUdapResponseGenerators(this IUdapServiceBui
 
     public static IUdapServiceBuilder AddPrivateFileStore(this IUdapServiceBuilder builder, string? resourceServerName = null)
     {
-        builder.Services.AddSingleton<IPrivateCertificateStore>(sp =>
+        builder.Services.TryAddSingleton<IPrivateCertificateStore>(sp =>
             new IssuedCertificateStore(
                 sp.GetRequiredService<IOptionsMonitor<UdapFileCertStoreManifest>>(),
                 sp.GetRequiredService<ILogger<IssuedCertificateStore>>(),

Udap.Server/Configuration/DependencyInjection/UdapServerServiceCollectionExtensions.cs

@@ -28,6 +28,7 @@
 using Udap.Server.Mappers;
 using Udap.Server.Options;
 using Udap.Server.ResponseHandling;
+using Udap.Server.Security.Authentication.TieredOAuth;
 using Udap.Server.Stores;
 using Udap.Server.Validation;
 using static Udap.Server.Constants;
@@ -166,6 +167,7 @@ public static IUdapServiceBuilder AddUdapServerAsIdentityProvider(
             services.Configure(setupAction);
         }
 
+        builder.Services.TryAddSingleton<IPostConfigureOptions<ServerSettings>, TieredIdpServerSettings>();
         builder.AddUdapSigningCredentials();
         services.AddSingleton(resolver => resolver.GetRequiredService<IOptions<ServerSettings>>().Value);
         builder.AddRegistrationEndpointToOpenIdConnectMetadata(baseUrl);

Udap.Server/Configuration/ServerSettings.cs

@@ -13,10 +13,6 @@
 namespace Udap.Server.Configuration;
 public class ServerSettings
 {
-    [JsonPropertyName("ServerSupport")]
-    [JsonConverter(typeof(JsonStringEnumConverter))]
-    public ServerSupport ServerSupport { get; set; }
-
     [JsonPropertyName("DefaultSystemScopes")]
     public string? DefaultSystemScopes { get; set; }
 
@@ -34,7 +30,13 @@ public class ServerSettings
     /// </summary>
     [JsonPropertyName("ForceStateParamOnAuthorizationCode")]
     public bool ForceStateParamOnAuthorizationCode { get; set; } = false;
-
+
+    /// <summary>
+    /// Indicate if the IdentityServer can act as a UDAP enabled IdP.
+    /// </summary>
+    [JsonIgnore] 
+    public bool TieredIdp { get; set; } = false;
+
     [JsonPropertyName("LogoRequired")]
     public bool LogoRequired { get; set; } = true;
 
@@ -50,12 +52,6 @@ public class ServerSettings
 }
 
 
-public enum ServerSupport
-{
-    UDAP = 0,
-    Hl7SecurityIG = 1
-}
-
 public static class ConfigurationExtension
 {
     public static TOptions GetOption<TOptions>(this IConfiguration configuration, string settingKey)