DuendeSoftware · josephdecock · May 19, 2023 · May 22, 2023 · May 22, 2023 · May 23, 2023
diff --git a/clients/src/APIs/DPoPApi/DPoP/DPoPJwtBearerEvents.cs b/clients/src/APIs/DPoPApi/DPoP/DPoPJwtBearerEvents.cs
@@ -41,14 +41,14 @@ public override async Task TokenValidated(TokenValidatedContext context)
     {
         var dpopOptions = _optionsMonitor.Get(context.Scheme.Name);
 
-        if (context.HttpContext.Request.IsDPoPAuthorizationScheme())
+        if (context.HttpContext.Request.TryGetDPoPAccessToken(out var at))
         {
             var proofToken = context.HttpContext.Request.GetDPoPProofToken();
             var result = await _validator.ValidateAsync(new DPoPProofValidatonContext
             {
                 Scheme = context.Scheme.Name,
                 ProofToken = proofToken,
-                AccessTokenClaims = context.Principal.Claims,
+                AccessToken = at,
                 Method = context.HttpContext.Request.Method,
                 Url = context.HttpContext.Request.Scheme + "://" + context.HttpContext.Request.Host + context.HttpContext.Request.PathBase + context.HttpContext.Request.Path
             });

diff --git a/clients/src/APIs/DPoPApi/DPoP/DPoPProofValidatonContext.cs b/clients/src/APIs/DPoPApi/DPoP/DPoPProofValidatonContext.cs
@@ -1,5 +1,3 @@
-using System.Collections.Generic;
-using System.Security.Claims;
 
 namespace DPoPApi;
 
@@ -26,7 +24,7 @@ public class DPoPProofValidatonContext
     public string ProofToken { get; set; }
 
     /// <summary>
-    /// The validated claims from the access token
+    /// The access token
     /// </summary>
-    public IEnumerable<Claim> AccessTokenClaims { get; set; }
+    public string AccessToken { get; set; }
 }
diff --git a/clients/src/APIs/DPoPApi/DPoP/DPoPProofValidatonResult.cs b/clients/src/APIs/DPoPApi/DPoP/DPoPProofValidatonResult.cs
@@ -45,6 +45,11 @@ public class DPoPProofValidatonResult
     /// The jti value read from the payload.
     /// </summary>
     public string TokenId { get; set; }
+
+    /// <summary>
+    /// The ath value read from the payload.
+    /// </summary>
+    public string AccessTokenHash { get; set; }
 
     /// <summary>
     /// The nonce value read from the payload.

diff --git a/clients/src/APIs/DPoPApi/DPoP/DPoPProofValidator.cs b/clients/src/APIs/DPoPApi/DPoP/DPoPProofValidator.cs
@@ -7,6 +7,8 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Security.Cryptography;
+using System.Text;
 using System.Text.Json;
 using System.Threading.Tasks;
 
@@ -211,6 +213,32 @@ protected virtual Task ValidateSignatureAsync(DPoPProofValidatonContext context,
     /// </summary>
     protected virtual async Task ValidatePayloadAsync(DPoPProofValidatonContext context, DPoPProofValidatonResult result)
     {
+        if (result.Payload.TryGetValue(JwtClaimTypes.DPoPAccessTokenHash, out var ath))
+        {
+            result.AccessTokenHash = ath as string;
+        }
+
+        if (String.IsNullOrEmpty(result.AccessTokenHash))
+        {
+            result.IsError = true;
+            result.ErrorDescription = "Invalid 'ath' value.";
+            return;
+        }
+
+        using (var sha = SHA256.Create())
+        {
+            var bytes = Encoding.UTF8.GetBytes(context.AccessToken);
+            var hash = sha.ComputeHash(bytes);
+
+            var accessTokenHash = Base64Url.Encode(hash);
+            if (accessTokenHash != result.AccessTokenHash)
+            {
+                result.IsError = true;
+                result.ErrorDescription = "Invalid 'ath' value.";
+                return;
+            }
+        }
+
         if (result.Payload.TryGetValue(JwtClaimTypes.JwtId, out var jti))
         {
             result.TokenId = jti as string;

diff --git a/src/IdentityServer/Extensions/AuthenticationTicketExtensions.cs b/src/IdentityServer/Extensions/AuthenticationTicketExtensions.cs
@@ -156,6 +156,10 @@ public static AuthenticationTicket Deserialize(this ServerSideSession session, I
                 properties.ExpiresUtc = null;
             }
 
+            // similar to the expires update above, this is needed so that the ticket will have the 
+            // right issued timestamp when the cookie handler performs its sliding logic
+            properties.IssuedUtc = new DateTimeOffset(session.Renewed, TimeSpan.Zero);
+
             return new AuthenticationTicket(user, properties, ticket.Scheme);
         }
         catch (Exception ex)

diff --git a/test/IdentityServer.IntegrationTests/Hosting/ServerSideSessionTests.cs b/test/IdentityServer.IntegrationTests/Hosting/ServerSideSessionTests.cs
@@ -21,6 +21,8 @@
 using Microsoft.AspNetCore.Session;
 using FluentAssertions.Common;
 using Duende.IdentityServer;
+using Microsoft.AspNetCore.DataProtection;
+using Duende.IdentityServer.Extensions;
 
 namespace IntegrationTests.Hosting;
 
@@ -34,6 +36,7 @@ public class ServerSideSessionTests
     private ISessionManagementService _sessionMgmt;
     private IPersistedGrantStore _grantStore;
     private IRefreshTokenStore _refreshTokenStore;
+    private IDataProtector _protector;
 
     private MockServerUrls _urls = new MockServerUrls();
 
@@ -122,6 +125,7 @@ public ServerSideSessionTests()
         _sessionMgmt = _pipeline.Resolve<ISessionManagementService>();
         _grantStore = _pipeline.Resolve<IPersistedGrantStore>();
         _refreshTokenStore = _pipeline.Resolve<IRefreshTokenStore>();
+        _protector = _pipeline.Resolve<IDataProtectionProvider>().CreateProtector("Duende.SessionManagement.ServerSideTicketStore");
     }
 
     async Task<bool> IsLoggedIn()
@@ -542,17 +546,26 @@ public async Task using_refresh_token_should_extend_session()
             RedirectUri = "https://client/callback"
         });
 
-        var expiration1 = (await _sessionStore.GetSessionsAsync(new SessionFilter { SubjectId = "alice" })).Single().Expires.Value;
+        var ticket1 = (await _sessionStore.GetSessionsAsync(new SessionFilter { SubjectId = "alice" })).Single()
+            .Deserialize(_protector, null);
+        var expiration1 = ticket1.GetExpiration();
+        var issued1 = ticket1.GetIssued();
+
+        await Task.Delay(1000);
 
         await _pipeline.BackChannelClient.RequestRefreshTokenAsync(new RefreshTokenRequest {
             Address = IdentityServerPipeline.TokenEndpoint,
             ClientId = "client",
             RefreshToken = tokenResponse.RefreshToken
         });
-
-        var expiration2 = (await _sessionStore.GetSessionsAsync(new SessionFilter { SubjectId = "alice" })).Single().Expires.Value;
 
-        expiration2.Should().BeAfter(expiration1);
+        var ticket2 = (await _sessionStore.GetSessionsAsync(new SessionFilter { SubjectId = "alice" })).Single()
+            .Deserialize(_protector, null);
+        var expiration2 = ticket2.GetExpiration();
+        var issued2 = ticket2.GetIssued();
+
+        issued2.Should().BeAfter(issued1);
+        expiration2.Value.Should().BeAfter(expiration1.Value);
     }
 
     [Fact]