Update to .NET RC.2

.github/workflows/ci.yml

@@ -32,7 +32,7 @@ jobs:
       uses: actions/setup-dotnet@v2
       with:
         dotnet-version: |
-          8.0.100-rc.1.23463.5
+            8.0.100-rc.2.23502.2
 
     - run: dotnet --info
 

.github/workflows/codeql-analysis.yml

@@ -41,7 +41,7 @@ jobs:
       uses: actions/setup-dotnet@v2
       with:
         dotnet-version: |
-          8.0.100-rc.1.23463.5
+            8.0.100-rc.2.23502.2
 
     - run: dotnet --info
 

Directory.Build.targets

@@ -15,9 +15,9 @@
     </PropertyGroup>-->
 
     <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
-        <FrameworkVersion>8.0.0-rc.1.23421.29</FrameworkVersion>
-        <ExtensionsVersion>8.0.0-rc.1.23419.4</ExtensionsVersion>
-        <EntityFrameworkVersion>8.0.0-rc.1.23419.6</EntityFrameworkVersion>
+        <FrameworkVersion>8.0.0-rc.2.23480.2</FrameworkVersion>
+        <ExtensionsVersion>8.0.0-rc.2.23479.6</ExtensionsVersion>
+        <EntityFrameworkVersion>8.0.0-rc.2.23480.1</EntityFrameworkVersion>
         <WilsonVersion>7.0.0</WilsonVersion>
     </PropertyGroup>
 

global.json

@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.100-rc.1.23463.5",
+    "version": "8.0.100-rc.2.23502.2",
     "rollForward": "latestMajor",
     "allowPrerelease": true
   }

src/IdentityServer/Endpoints/PushedAuthorizationEndpoint.cs

@@ -64,7 +64,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
         var client = await _clientValidator.ValidateAsync(context);
         if(client.IsError)
         {
-            return await CreateErrorResultAsync(
+            return CreateErrorResult(
                 logMessage: "Client secret validation failed",
                 request: null,
                 client.Error,
@@ -75,7 +75,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
         var parValidationResult = await _parValidator.ValidateAsync(new PushedAuthorizationRequestValidationContext(values, client.Client));
         if (parValidationResult.IsError)
         {
-            return await CreateErrorResultAsync(
+            return CreateErrorResult(
                 logMessage: "Pushed authorization validation failed",
                 request: parValidationResult.ValidatedRequest,
                 parValidationResult.Error,
@@ -92,7 +92,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
         };
     }
 
-    private async Task<PushedAuthorizationErrorResult> CreateErrorResultAsync(
+    private PushedAuthorizationErrorResult CreateErrorResult(
         string logMessage,
         ValidatedPushedAuthorizationRequest request = null,
         string error = OidcConstants.AuthorizeErrors.ServerError,

src/IdentityServer/Services/Default/PushedAuthorizationService.cs

@@ -46,6 +46,7 @@ public Task ConsumeAsync(string referenceValue)
         var deserialized = _serializer.Deserialize(par.Parameters);
         return new DeserializedPushedAuthorizationRequest
         {
+            ReferenceValue = referenceValue,
             PushedParameters = deserialized,
             ExpiresAtUtc = par.ExpiresAtUtc
         };

src/IdentityServer/Services/DeserializedPushedAuthorizationRequest.cs

@@ -9,9 +9,24 @@
 
 namespace Duende.IdentityServer.Services;
 
+/// <summary>
+/// A pushed authorization request that is not serialized.
+/// </summary>
 public class DeserializedPushedAuthorizationRequest
 {
-    public string ReferenceValue { get; set; }
-    public NameValueCollection PushedParameters { get; set; }
-    public DateTime ExpiresAtUtc { get; set; }
+    /// <summary>
+    /// The reference value of the pushed authorization request. This is the
+    /// identifier within the request_uri.
+    /// </summary>
+    public required string ReferenceValue { get; set; }
+
+    /// <summary>
+    /// The pushed parameters. 
+    /// </summary>
+    public required NameValueCollection PushedParameters { get; set; }
+
+    /// <summary>
+    /// The expiration time.
+    /// </summary>
+    public required DateTime ExpiresAtUtc { get; set; }
 }

src/IdentityServer/Validation/Default/RequestObjectValidator.cs

@@ -5,7 +5,9 @@
 #nullable enable
 
 using System;
+using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Duende.IdentityServer.Configuration;
 using Duende.IdentityServer.Extensions;
@@ -223,14 +225,19 @@ public async Task<AuthorizeRequestValidationResult> ValidateRequestObjectAsync(V
             {
                 LogError("request JWT validation failure", request);
                 return Invalid(request, error: OidcConstants.AuthorizeErrors.InvalidRequestObject, description: "Invalid JWT request");
+            } 
+
+            if(jwtRequestValidationResult.Payload == null)
+            {
+                throw new Exception("JwtRequestValidation succeeded but did not return a payload");
             }
 
             // validate response_type match
             var responseType = request.Raw.Get(OidcConstants.AuthorizeRequest.ResponseType);
             if (responseType != null)
             {
                 var payloadResponseType =
-                    jwtRequestValidationResult.Payload?.SingleOrDefault(c =>
+                    jwtRequestValidationResult.Payload.SingleOrDefault(c =>
                         c.Type == OidcConstants.AuthorizeRequest.ResponseType)?.Value;
 
                 if (!string.IsNullOrEmpty(payloadResponseType))
@@ -245,7 +252,7 @@ public async Task<AuthorizeRequestValidationResult> ValidateRequestObjectAsync(V
 
             // validate client_id mismatch
             var payloadClientId =
-                jwtRequestValidationResult.Payload?.SingleOrDefault(c =>
+                jwtRequestValidationResult.Payload.SingleOrDefault(c =>
                     c.Type == OidcConstants.AuthorizeRequest.ClientId)?.Value;
 
             if (!string.IsNullOrEmpty(payloadClientId))

src/IdentityServer/Validation/Models/JwtRequestValidationResult.cs

@@ -5,6 +5,7 @@
 #nullable enable
 
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Security.Claims;
 
 namespace Duende.IdentityServer.Validation;
@@ -15,7 +16,8 @@ namespace Duende.IdentityServer.Validation;
 public class JwtRequestValidationResult : ValidationResult
 {
     /// <summary>
-    /// The key/value pairs from the JWT payload of a successfuly validated request.
+    /// The key/value pairs from the JWT payload of a successfully validated
+    /// request, or null if a validation error occurred.
     /// </summary>
     public IEnumerable<Claim>? Payload { get; set; }
 }

test/EntityFramework.Storage.IntegrationTests/Stores/ClientStoreTests.cs

@@ -149,7 +149,9 @@ public async Task FindClientByIdAsync_WhenClientsExistWithManyCollections_Expect
 
             if (await Task.WhenAny(task, Task.Delay(timeout)) == task)
             {
+#pragma warning disable xUnit1031 // Do not use blocking task operations in test method, suppressed because the task must have completed to enter this block
                 var client = task.Result;
+#pragma warning restore xUnit1031 // Do not use blocking task operations in test method
                 client.Should().BeEquivalentTo(testClient);
             }
             else

test/EntityFramework.Tests/Services/CorsPolicyServiceTests.cs

@@ -12,6 +12,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Threading.Tasks;
 using Xunit;
 
 namespace Tests.Services;
@@ -28,7 +29,7 @@ public CorsPolicyServiceTests(DatabaseProviderFixture<ConfigurationDbContext> fi
     }
 
     [Theory, MemberData(nameof(TestDatabaseProviders))]
-    public void IsOriginAllowedAsync_WhenOriginIsAllowed_ExpectTrue(DbContextOptions<ConfigurationDbContext> options)
+    public async Task IsOriginAllowedAsync_WhenOriginIsAllowed_ExpectTrue(DbContextOptions<ConfigurationDbContext> options)
     {
         const string testCorsOrigin = "https://identityserver.io/";
 
@@ -53,14 +54,14 @@ public void IsOriginAllowedAsync_WhenOriginIsAllowed_ExpectTrue(DbContextOptions
         using (var context = new ConfigurationDbContext(options))
         {
             var service = new CorsPolicyService(context, FakeLogger<CorsPolicyService>.Create(), new NoneCancellationTokenProvider());
-            result = service.IsOriginAllowedAsync(testCorsOrigin).Result;
+            result = await service.IsOriginAllowedAsync(testCorsOrigin);
         }
 
         Assert.True(result);
     }
 
     [Theory, MemberData(nameof(TestDatabaseProviders))]
-    public void IsOriginAllowedAsync_WhenOriginIsNotAllowed_ExpectFalse(DbContextOptions<ConfigurationDbContext> options)
+    public async Task IsOriginAllowedAsync_WhenOriginIsNotAllowed_ExpectFalse(DbContextOptions<ConfigurationDbContext> options)
     {
         using (var context = new ConfigurationDbContext(options))
         {
@@ -77,7 +78,7 @@ public void IsOriginAllowedAsync_WhenOriginIsNotAllowed_ExpectFalse(DbContextOpt
         using (var context = new ConfigurationDbContext(options))
         {
             var service = new CorsPolicyService(context, FakeLogger<CorsPolicyService>.Create(), new NoneCancellationTokenProvider());
-            result = service.IsOriginAllowedAsync("InvalidOrigin").Result;
+            result = await service.IsOriginAllowedAsync("InvalidOrigin");
         }
 
         Assert.False(result);

test/IdentityServer.UnitTests/Extensions/IdentityServerBuilderExtensionsCryptoTests.cs

@@ -21,20 +21,22 @@ public void AddSigningCredential_with_json_web_key_containing_asymmetric_key_sho
         IServiceCollection services = new ServiceCollection();
         IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
 
-        String json =
-            @"{
-                ""alg"" : ""RS256"",
-                ""kty"" : ""RSA"",
-                ""use"" : ""sig"",
-                ""d"" : ""KGGNkbbgm2hNMqW6fP1fmcWwEBy77WOJIPAXnDJ0KxNTtqDF8K5ULj7EElHO1A8ZnNl1Ey/x//G9lJCOQUU9wmj010dOSsW0NBbR5NtRtLLuVbkVdyft53PGeTQs+1S3c51fz9jojtNqmlfXSANPFOH6QhxmzpTx3KLsf/TpCzblkSrEGOOqCCvVdl7ybTcB230jNhh3JoL7po1rvxKtoOM4a/Bs0NtKj7e+VaHcf0GLnBPJYetsHu43ZfNejJeDoouaXZzeVEklY3B0pe10OTCIOu0JUKGZxNekklRIo1WSEYdL+CJfrSKWIv8bLj6xSr5zrASvWODyH443LN6ZvQ=="",
-                ""e"" : ""AQAB"",
-                ""n"" : ""q7mZfquRq8tzg/5slbNdQmrosNN/mFXS25dbSPm11qEDCgZa452KkO8+hvMtqa92QaqdlmalSF8+FRDOz3grDR5NtmnXZxuKnp+raKfzpC6hCvh2JSIe/J9enmsMM4YeI4d1FOSDwhJlZIYMdMnqG/VJtO1LSHjOaF3XN31ANKF0nPAsmr2/WysiQlxnxxiikLEnsFuNdS615ODDXFGTQ1E+zc4zVur4/Ox0cllPwHPA4PqoIgdPJPL+xM9IOIXuAGtsp4CYoxT6VWaRrALIZXXDY806WGTuctq4KKot6FGL9HQte2hRLl4E/r8SzIK86U3wRwrBe7saK+XUXoP0gQ="",
-		        ""p"" :	""25dkucyCSqxRcJpRrhl7PXqw7wqBZeLQgYlZLpK493PdM8pFfq+/LK1hFtxIjdFKqXS/TOikB4YCBMEH0Im3HZ8Lo0dub3SWNhdegJyRjMbcoO+A9YSODEj7DFaNpZtdmtDi1n6etJm66ctPSR20NNpzoYZuaJ92fVQiKiOh6Qs="",
-                ""q"" : ""yDKBrS8l1DOx4dwP9hdwhqZJ3XahidiIZSL7m46I/6+cjaki/1mtNiA60MOgqTKegP7Fo7jAYvliqQwnvVGmQvLv19cfKywlIuKN9DdkLHnKh75hfo7aakEbO7GJ5zVgsNnKOdf8wvpclfvIuRDEVva4cksPzsJy6K7C8ENCSCM="",
-                ""dp"" :  ""GlYJ6o6wgawxCEQ5z5uWwETau5CS/Fk7kI2ceI14SZVHzlJQC2WglAcnQcqhmQCk57Xsy5iLM6vKyi8sdMJPh+nvR2HlyNA+w7YBy4L7odqn01VmLgv7zVVjZpNq4ZXEoDC1Q+xjtF1LoYaUt7wsRLp+a7znuPyHBXj1sAAeBwk="",
-                ""dq"" :  ""W8OK3S83T8VCTBzq1Ap6cb3XLcQq11yBaJpYaj0zXr/IKsbUW+dnFeBAFWEWS3gAX3Bod1tAFB3rs0D3FjhO1XE1ruHUT520iAEAwGiDaj+JLh994NzqELo3GW2PoIM/BtFNeKYgHd9UgQsgPnQJCzOb6Aev/z3yHeW9RRQPVbE="",
-                ""qi"" :  ""w4KdmiDN1GtK71JxaasqmEKPNfV3v2KZDXKnfyhUsdx/idKbdTVjvMOkxFPJ4FqV4yIVn06f3QHTm4NEG18Diqxsrzd6kXQIHOa858tLsCcmt9FoGfrgCFgVceh3K/Zah/r8rl9Y61u0Z1kZumwMvFpFE+mVU01t9HgTEAVkHTc="",
-            }";
+        var json =
+            """
+            {
+                "alg": "RS256",
+                "kty": "RSA",
+                "use": "sig",
+                "d": "KGGNkbbgm2hNMqW6fP1fmcWwEBy77WOJIPAXnDJ0KxNTtqDF8K5ULj7EElHO1A8ZnNl1Ey/x//G9lJCOQUU9wmj010dOSsW0NBbR5NtRtLLuVbkVdyft53PGeTQs+1S3c51fz9jojtNqmlfXSANPFOH6QhxmzpTx3KLsf/TpCzblkSrEGOOqCCvVdl7ybTcB230jNhh3JoL7po1rvxKtoOM4a/Bs0NtKj7e+VaHcf0GLnBPJYetsHu43ZfNejJeDoouaXZzeVEklY3B0pe10OTCIOu0JUKGZxNekklRIo1WSEYdL+CJfrSKWIv8bLj6xSr5zrASvWODyH443LN6ZvQ==",
+                "e": "AQAB",
+                "n": "q7mZfquRq8tzg/5slbNdQmrosNN/mFXS25dbSPm11qEDCgZa452KkO8+hvMtqa92QaqdlmalSF8+FRDOz3grDR5NtmnXZxuKnp+raKfzpC6hCvh2JSIe/J9enmsMM4YeI4d1FOSDwhJlZIYMdMnqG/VJtO1LSHjOaF3XN31ANKF0nPAsmr2/WysiQlxnxxiikLEnsFuNdS615ODDXFGTQ1E+zc4zVur4/Ox0cllPwHPA4PqoIgdPJPL+xM9IOIXuAGtsp4CYoxT6VWaRrALIZXXDY806WGTuctq4KKot6FGL9HQte2hRLl4E/r8SzIK86U3wRwrBe7saK+XUXoP0gQ=",
+                "p": "25dkucyCSqxRcJpRrhl7PXqw7wqBZeLQgYlZLpK493PdM8pFfq+/LK1hFtxIjdFKqXS/TOikB4YCBMEH0Im3HZ8Lo0dub3SWNhdegJyRjMbcoO+A9YSODEj7DFaNpZtdmtDi1n6etJm66ctPSR20NNpzoYZuaJ92fVQiKiOh6Qs=",
+                "q": "yDKBrS8l1DOx4dwP9hdwhqZJ3XahidiIZSL7m46I/6+cjaki/1mtNiA60MOgqTKegP7Fo7jAYvliqQwnvVGmQvLv19cfKywlIuKN9DdkLHnKh75hfo7aakEbO7GJ5zVgsNnKOdf8wvpclfvIuRDEVva4cksPzsJy6K7C8ENCSCM=",
+                "dp": "GlYJ6o6wgawxCEQ5z5uWwETau5CS/Fk7kI2ceI14SZVHzlJQC2WglAcnQcqhmQCk57Xsy5iLM6vKyi8sdMJPh+nvR2HlyNA+w7YBy4L7odqn01VmLgv7zVVjZpNq4ZXEoDC1Q+xjtF1LoYaUt7wsRLp+a7znuPyHBXj1sAAeBwk=",
+                "dq": "W8OK3S83T8VCTBzq1Ap6cb3XLcQq11yBaJpYaj0zXr/IKsbUW+dnFeBAFWEWS3gAX3Bod1tAFB3rs0D3FjhO1XE1ruHUT520iAEAwGiDaj+JLh994NzqELo3GW2PoIM/BtFNeKYgHd9UgQsgPnQJCzOb6Aev/z3yHeW9RRQPVbE=",
+                "qi": "w4KdmiDN1GtK71JxaasqmEKPNfV3v2KZDXKnfyhUsdx/idKbdTVjvMOkxFPJ4FqV4yIVn06f3QHTm4NEG18Diqxsrzd6kXQIHOa858tLsCcmt9FoGfrgCFgVceh3K/Zah/r8rl9Y61u0Z1kZumwMvFpFE+mVU01t9HgTEAVkHTc="
+            }
+            """;
 
         JsonWebKey jsonWebKey = new JsonWebKey(json);
         SigningCredentials credentials = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);
@@ -48,12 +50,14 @@ public void AddSigningCredential_with_json_web_key_containing_symmetric_key_shou
         IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
 
         String json =
-            @"{
-                ""alg"" : ""HS256"",
-                ""kty"" : ""oct"",
-                ""use"" : ""sig"",
-                ""k"" : ""y5FHaQFtC294HLAtPXAcMkxZ5gHzCq24223vSYQUrDuu-3CUw7UzPru-AX30ubeB2IM_gUsNQ80bX22wwSk_3LC6XxYxqeGJZSeoQqHG0VNbaWCVkqeuB_HOiL1-ksPfGT-o8_A_Uv-6zi2NaEOYpnIyff5LpdW__LhiE-bhIenaw7GhoXSAfsGEZfNZpUUOU35NAiN2dv0T5vptb87wkL1I2zLhV0pdLvWsDWgQPINEa8bbCA_mseBYpB1eioZvt0TZbp6CL9tiEoiikYV_F3IutrJ2SOWYtDNFeQ3sbyYP7zTzh9a2eyaM8ca5_q3qosI92AbZ7WpEFLa9cZ_O7g""
-            }";
+            """
+            {
+                "alg" : "HS256",
+                "kty" : "oct",
+                "use" : "sig",
+                "k" : "y5FHaQFtC294HLAtPXAcMkxZ5gHzCq24223vSYQUrDuu-3CUw7UzPru-AX30ubeB2IM_gUsNQ80bX22wwSk_3LC6XxYxqeGJZSeoQqHG0VNbaWCVkqeuB_HOiL1-ksPfGT-o8_A_Uv-6zi2NaEOYpnIyff5LpdW__LhiE-bhIenaw7GhoXSAfsGEZfNZpUUOU35NAiN2dv0T5vptb87wkL1I2zLhV0pdLvWsDWgQPINEa8bbCA_mseBYpB1eioZvt0TZbp6CL9tiEoiikYV_F3IutrJ2SOWYtDNFeQ3sbyYP7zTzh9a2eyaM8ca5_q3qosI92AbZ7WpEFLa9cZ_O7g"
+            }
+            """;
 
         JsonWebKey jsonWebKey = new JsonWebKey(json);
         SigningCredentials credentials = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);

test/IdentityServer.UnitTests/Services/Default/DefaultCorsPolicyServiceTests.cs

@@ -3,6 +3,7 @@
 
 
 using System;
+using System.Threading.Tasks;
 using Duende.IdentityServer.Services;
 using FluentAssertions;
 using UnitTests.Common;
@@ -23,54 +24,54 @@ public DefaultCorsPolicyServiceTests()
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_null_param_ReturnsFalse()
+    public async Task IsOriginAllowed_null_param_ReturnsFalse()
     {
-        subject.IsOriginAllowedAsync(null).Result.Should().Be(false);
-        subject.IsOriginAllowedAsync(String.Empty).Result.Should().Be(false);
-        subject.IsOriginAllowedAsync("    ").Result.Should().Be(false);
+        (await subject.IsOriginAllowedAsync(null)).Should().Be(false);
+        (await subject.IsOriginAllowedAsync(String.Empty)).Should().Be(false);
+        (await subject.IsOriginAllowedAsync("    ")).Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsAllowed_ReturnsTrue()
+    public async Task IsOriginAllowed_OriginIsAllowed_ReturnsTrue()
     {
         subject.AllowedOrigins.Add("http://foo");
-        subject.IsOriginAllowedAsync("http://foo").Result.Should().Be(true);
+        (await subject.IsOriginAllowedAsync("http://foo")).Should().Be(true);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsNotAllowed_ReturnsFalse()
+    public async Task IsOriginAllowed_OriginIsNotAllowed_ReturnsFalse()
     {
         subject.AllowedOrigins.Add("http://foo");
-        subject.IsOriginAllowedAsync("http://bar").Result.Should().Be(false);
+        (await subject.IsOriginAllowedAsync("http://bar")).Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsInAllowedList_ReturnsTrue()
+    public async Task IsOriginAllowed_OriginIsInAllowedList_ReturnsTrue()
     {
         subject.AllowedOrigins.Add("http://foo");
         subject.AllowedOrigins.Add("http://bar");
         subject.AllowedOrigins.Add("http://baz");
-        subject.IsOriginAllowedAsync("http://bar").Result.Should().Be(true);
+        (await subject.IsOriginAllowedAsync("http://bar")).Should().Be(true);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsNotInAllowedList_ReturnsFalse()
+    public async Task IsOriginAllowed_OriginIsNotInAllowedList_ReturnsFalse()
     {
         subject.AllowedOrigins.Add("http://foo");
         subject.AllowedOrigins.Add("http://bar");
         subject.AllowedOrigins.Add("http://baz");
-        subject.IsOriginAllowedAsync("http://quux").Result.Should().Be(false);
+        (await subject.IsOriginAllowedAsync("http://quux")).Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_AllowAllTrue_ReturnsTrue()
+    public async Task IsOriginAllowed_AllowAllTrue_ReturnsTrue()
     {
         subject.AllowAll = true;
-        subject.IsOriginAllowedAsync("http://foo").Result.Should().Be(true);
+        (await subject.IsOriginAllowedAsync("http://foo")).Should().Be(true);
     }
 }