Update Duende.IdentityModel

Directory.Packages.props

@@ -1,38 +1,38 @@
 <Project>
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
     <!-- We depend on the most permissive version of the JwtBearer handler 
-             that doesn't give us a transitive depedency on a vulnerable package. -->
+             that doesn't give us a transitive dependency on a vulnerable package. -->
     <FrameworkVersion>8.0.1</FrameworkVersion>
     <ExtensionsVersion>8.0.0</ExtensionsVersion>
     <WilsonVersion>7.1.2</WilsonVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(TargetFramework)' == 'net9.0'">
     <!-- We depend on the most permissive version of the JwtBearer handler 
-             that doesn't give us a transitive depedency on a vulnerable package. -->
-    <FrameworkVersion>9.0.0-rc.2.24474.3</FrameworkVersion>
-    <ExtensionsVersion>9.0.0-rc.2.24473.5</ExtensionsVersion>
+             that doesn't give us a transitive dependency on a vulnerable package. -->
+    <FrameworkVersion>9.0.0</FrameworkVersion>
+    <ExtensionsVersion>9.0.0</ExtensionsVersion>
     <WilsonVersion>8.0.1</WilsonVersion>
   </PropertyGroup>
   <ItemGroup>
     <!-- <PackageVersion Include="Duende.AccessTokenManagement" Version="3.0.0" /> -->
-    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.0.0" />
-    <PackageVersion Include="Meziantou.Extensions.Logging.Xunit" Version="1.0.7" />
+    <PackageVersion Include="Duende.AccessTokenManagement.OpenIdConnect" Version="3.1.1" />
+    <PackageVersion Include="Meziantou.Extensions.Logging.Xunit" Version="1.0.8" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="$(FrameworkVersion)" />
-    <PackageVersion Include="IdentityModel" Version="7.0.0" />
+    <PackageVersion Include="Duende.IdentityModel" Version="7.0.0" />
     <!-- Build -->
     <PackageVersion Include="MinVer" Version="6.0.0" />
     <!-- Test -->
-    <PackageVersion Include="AngleSharp" Version="1.1.2" />
-    <PackageVersion Include="coverlet.collector" Version="6.0.2" />
-    <PackageVersion Include="Duende.IdentityServer" Version="7.0.7" />
+    <PackageVersion Include="AngleSharp" Version="1.2.0" />
+    <PackageVersion Include="coverlet.collector" Version="6.0.3" />
+    <PackageVersion Include="Duende.IdentityServer" Version="7.1.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Mvc.Testing" Version="$(FrameworkVersion)" />
-    <PackageVersion Include="Microsoft.Extensions.TimeProvider.Testing" Version="8.7.0" />
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.11.1" />
-    <PackageVersion Include="NSubstitute" Version="5.1.0" />
+    <PackageVersion Include="Microsoft.Extensions.TimeProvider.Testing" Version="9.1.0" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="17.12.0" />
+    <PackageVersion Include="NSubstitute" Version="5.3.0" />
     <PackageVersion Include="RichardSzalay.MockHttp" Version="7.0.0" />
     <PackageVersion Include="Shouldly" Version="4.2.1" />
-    <PackageVersion Include="System.Text.Json" Version="8.0.5" />
-    <PackageVersion Include="xunit.core" Version="2.9.2" />
-    <PackageVersion Include="xunit.runner.visualstudio" Version="2.8.2" />
+    <PackageVersion Include="System.Text.Json" Version="9.0.1" />
+    <PackageVersion Include="xunit.core" Version="2.9.3" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
   </ItemGroup>
 </Project>

src/AspNetCore.Authentication.JwtBearer/AspNetCore.Authentication.JwtBearer.csproj

@@ -27,7 +27,7 @@
 
     <ItemGroup>
         <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-        <PackageReference Include="IdentityModel" />
+        <PackageReference Include="Duende.IdentityModel" />
         <PackageReference Include="MinVer">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>

src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPExtensions.cs

@@ -1,9 +1,8 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using System.Diagnostics.CodeAnalysis;
 using System.Text.Json;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.IdentityModel.Tokens;

src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPJwtBearerEvents.cs

@@ -3,14 +3,14 @@
 
 using System.Diagnostics.CodeAnalysis;
 using System.Text;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.Net.Http.Headers;
-using static IdentityModel.OidcConstants;
+using static Duende.IdentityModel.OidcConstants;
 
 namespace Duende.AspNetCore.Authentication.JwtBearer.DPoP;
 

src/AspNetCore.Authentication.JwtBearer/DPoP/DPoPProofValidatonResult.cs

@@ -1,7 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using IdentityModel;
+using Duende.IdentityModel;
 
 namespace Duende.AspNetCore.Authentication.JwtBearer.DPoP;
 
@@ -49,7 +49,7 @@ public class DPoPProofValidationResult
     /// The SHA256 hash of the jti value read from the payload.
     /// </summary>
     public string? TokenIdHash { get; set; }
-    
+
     /// <summary>
     /// The ath value read from the payload.
     /// </summary>

src/AspNetCore.Authentication.JwtBearer/DPoP/DefaultDPoPProofValidator.cs

@@ -4,7 +4,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -43,22 +43,22 @@ public class DefaultDPoPProofValidator : IDPoPProofValidator
     /// Provides the options for DPoP proof validation. 
     /// </summary>
     protected readonly IOptionsMonitor<DPoPOptions> OptionsMonitor;
-    
+
     /// <summary>
     /// Protects and unprotects nonce values.
     /// </summary>
     protected readonly IDataProtector DataProtector;
-    
+
     /// <summary>
     /// Caches proof tokens to detect replay.
     /// </summary>
     protected readonly IReplayCache ReplayCache;
-    
+
     /// <summary>
     /// Clock for checking proof expiration.
     /// </summary>
     protected readonly TimeProvider TimeProvider;
-    
+
     /// <summary>
     /// The logger.
     /// </summary>
@@ -198,7 +198,7 @@ protected virtual Task ValidateHeader(
                 Logger.LogDebug("Null cnf value in DPoP access token.");
                 result.SetError("Invalid 'cnf' value.");
                 return Task.CompletedTask;
-            } 
+            }
             else if (cnfJson.TryGetValue(JwtClaimTypes.ConfirmationMethods.JwkThumbprint, out var jktJson))
             {
                 var accessTokenJkt = jktJson.ToString();
@@ -274,7 +274,7 @@ protected virtual async Task ValidateSignature(
     /// </summary>
     protected virtual async Task ValidatePayload(DPoPProofValidationContext context, DPoPProofValidationResult result, CancellationToken cancellationToken = default)
     {
-        if(result.Payload is null )
+        if (result.Payload is null)
         {
             result.SetError("Missing payload");
             return;
@@ -443,7 +443,7 @@ protected virtual Task ValidateIat(
         CancellationToken _ = default)
     {
         // iat is required by an earlier validation, so result.IssuedAt will not be null
-        if (IsExpired(context, result, result.IssuedAt!.Value, ExpirationValidationMode.IssuedAt)) 
+        if (IsExpired(context, result, result.IssuedAt!.Value, ExpirationValidationMode.IssuedAt))
         {
             result.SetError("Invalid 'iat' value.");
         }
@@ -524,12 +524,12 @@ protected virtual bool IsExpired(DPoPProofValidationContext context, DPoPProofVa
     {
         var dpopOptions = OptionsMonitor.Get(context.Scheme);
         var validityDuration = dpopOptions.ProofTokenValidityDuration;
-        var skew = mode == ExpirationValidationMode.Nonce ? dpopOptions.ServerClockSkew 
+        var skew = mode == ExpirationValidationMode.Nonce ? dpopOptions.ServerClockSkew
             : dpopOptions.ClientClockSkew;
 
         return IsExpired(validityDuration, skew, time);
     }
-    
+
     internal bool IsExpired(TimeSpan validityDuration, TimeSpan clockSkew, long time)
     {
         var now = TimeProvider.GetUtcNow().ToUnixTimeSeconds();

test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/AccessTokenCnfTests.cs

@@ -4,7 +4,7 @@
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Text.Json;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.IdentityModel.Tokens;
 using Shouldly;
 

test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/AssertionExtensions.cs

@@ -1,7 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using IdentityModel;
+using Duende.IdentityModel;
 using NSubstitute;
 using Shouldly;
 

test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/DPoPProofValidatorTestBase.cs

@@ -5,7 +5,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.Extensions.Options;
 using Microsoft.IdentityModel.JsonWebTokens;
 using Microsoft.IdentityModel.Tokens;

test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/FreshnessTests.cs

@@ -1,7 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.DataProtection;
 using Shouldly;
 

test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/PayloadTests.cs

@@ -1,7 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using IdentityModel;
+using Duende.IdentityModel;
 using Shouldly;
 
 namespace Duende.AspNetCore.Authentication.JwtBearer.DPoP;

test/AspNetCore.Authentication.JwtBearer.Tests/DPoP/ReplayTests.cs

@@ -1,7 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // See LICENSE in the project root for license information.
 
-using IdentityModel;
+using Duende.IdentityModel;
 using NSubstitute;
 using Shouldly;
 

test/AspNetCore.Authentication.JwtBearer.Tests/DPoPIntegrationTests.cs

@@ -10,8 +10,8 @@
 using Duende.AspNetCore.Authentication.JwtBearer.DPoP;
 using Duende.AspNetCore.TestFramework;
 using Duende.IdentityServer.Models;
-using IdentityModel;
-using IdentityModel.Client;
+using Duende.IdentityModel;
+using Duende.IdentityModel.Client;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.IdentityModel.Tokens;

test/TestFramework/AppHost.cs

@@ -4,7 +4,7 @@
 using System.Net;
 using System.Web;
 using Duende.AccessTokenManagement.OpenIdConnect;
-using IdentityModel;
+using Duende.IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;