Client Assertions are reused when negotiating DPoP Nonce with the Token-endpoint

[runegri]

Affected component

Duende.IdentityModel.OidcClient

Version

7.0.0

Describe the bug

At HelseID we require authorization server-provided DPoP nonces from the Token-endpoint. We are now planning to establish a new requirement where clients must use a unique Client Assertion when performing client authentication, uniqueness is determined by investigating the jti-claim.

We have observed that the OidcClient reuses the client assertion when performing the two Token-requests required by the DPoP nonce flow.

Steps to reproduce

Reproducing the problem requires a setup of IdentityServer using the default private_key_jwt secret validator. This includes a replay cache that will reject re-use of client assertions. IdentityServer must be set up to require server-provided DPoP nonces.

A standard client using the private_key_jwt mechanism using Duende.IdentityModel.OidcClient should be enough to recreate the problem.

Expected behavior

The expected behavior would be for the two Token-requests to use unique client assertions.

Additional context

The problem seems to be at RedeemCodeAsync in ResponseProcessor:

foss/identity-model-oidc-client/src/IdentityModel.OidcClient/ResponseProcessor.cs

Line 184 in 1c74e3d

ClientAssertion = await _options.GetClientAssertionAsync(),

Here we initialize the AuthorizationCodeTokenRequest object with a client assertion, this will be re-used for both the Token-requests.

I suspect we will see the same behavior when performing Refresh token-requests and Client Credentials token-requests.

[damianh]

Thanks for reporting @runegri . We're taking a look.