Share dpop-nonce case insensitivity

Copy the dpop-nonce http header case insensitivity fix from OidcClient to AccessTokenManagement. Add tests of dpop-nonce casing in both libraries.
DuendeSoftware · Feb 21, 2025 · b5ded95 · b5ded95
1 parent 300b91b
commit b5ded95
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 5 deletions.
diff --git a/access-token-management/src/AccessTokenManagement/DPoPExtensions.cs b/access-token-management/src/AccessTokenManagement/DPoPExtensions.cs
@@ -33,10 +33,9 @@ public static void SetDPoPProofToken(this HttpRequestMessage request, string? pr
     /// </summary>
     public static string? GetDPoPNonce(this HttpResponseMessage response)
     {
-        var nonce = response.Headers
-            .FirstOrDefault(x => x.Key == OidcConstants.HttpHeaders.DPoPNonce)
+        return response.Headers
+            .FirstOrDefault(x => string.Equals(OidcConstants.HttpHeaders.DPoPNonce, x.Key, StringComparison.OrdinalIgnoreCase))
             .Value?.FirstOrDefault();
-        return nonce;
     }
 
     /// <summary>

diff --git a/access-token-management/test/AccessTokenManagement.Tests/DPoPExtensionTests.cs b/access-token-management/test/AccessTokenManagement.Tests/DPoPExtensionTests.cs
@@ -0,0 +1,24 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+namespace Duende.AccessTokenManagement.Tests;
+
+public class DPoPExtensionTests
+{
+    [Theory]
+    [InlineData("DPoP-Nonce")]
+    [InlineData("dpop-nonce")]
+    [InlineData("DPOP-NONCE")]
+    public void GetDPoPNonceIsCaseInsensitive(string headerName)
+    {
+        var expected = "expected-server-nonce"; 
+        var message = new HttpResponseMessage()
+        {
+            Headers =
+            {
+                { headerName, expected }
+            }
+        };
+        message.GetDPoPNonce().ShouldBe(expected);
+    }
+}
diff --git a/identity-model-oidc-client/src/IdentityModel.OidcClient.Extensions/DPoP/DPoPExtensions.cs b/identity-model-oidc-client/src/IdentityModel.OidcClient.Extensions/DPoP/DPoPExtensions.cs
@@ -26,10 +26,9 @@ public static void SetDPoPProofToken(this HttpRequestMessage request, string? pr
     /// </summary>
     public static string? GetDPoPNonce(this HttpResponseMessage response)
     {
-        var nonce = response.Headers
+        return response.Headers
             .FirstOrDefault(x => string.Equals(OidcConstants.HttpHeaders.DPoPNonce, x.Key, StringComparison.OrdinalIgnoreCase))
             .Value?.FirstOrDefault();
-        return nonce;
     }
 
     ///// <summary>

diff --git a/identity-model-oidc-client/test/IdentityModel.OidcClient.Tests/DPoPExtensionTests.cs b/identity-model-oidc-client/test/IdentityModel.OidcClient.Tests/DPoPExtensionTests.cs
@@ -0,0 +1,26 @@
+// Copyright (c) Duende Software. All rights reserved.
+// See LICENSE in the project root for license information.
+
+using Duende.IdentityModel.OidcClient.DPoP;
+
+namespace Duende.IdentityModel.OidcClient;
+
+public class DPoPExtensionTests
+{
+    [Theory]
+    [InlineData("DPoP-Nonce")]
+    [InlineData("dpop-nonce")]
+    [InlineData("DPOP-NONCE")]
+    public void GetDPoPNonceIsCaseInsensitive(string headerName)
+    {
+        var expected = "expected-server-nonce"; 
+        var message = new HttpResponseMessage()
+        {
+            Headers =
+            {
+                { headerName, expected }
+            }
+        };
+        message.GetDPoPNonce().ShouldBe(expected);
+    }
+}