DuendeSoftware · damianh · Feb 23, 2025 · Feb 22, 2025 · Feb 22, 2025
@@ -1,6 +1,7 @@
 // Copyright (c) Duende Software. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
+using System.ComponentModel.DataAnnotations;
 using Duende.IdentityModel;
 
 namespace Duende.AccessTokenManagement;
@@ -33,9 +34,9 @@ public static void SetDPoPProofToken(this HttpRequestMessage request, string? pr
     /// </summary>
     public static string? GetDPoPNonce(this HttpResponseMessage response)
     {
-        return response.Headers
-            .FirstOrDefault(x => string.Equals(OidcConstants.HttpHeaders.DPoPNonce, x.Key, StringComparison.OrdinalIgnoreCase))
-            .Value?.FirstOrDefault();
+        return response.Headers.TryGetValues(OidcConstants.HttpHeaders.DPoPNonce, out var values) 
+            ? values.FirstOrDefault() 
+            : null;
     }
 
     /// <summary>

@@ -1,8 +1,6 @@
 // Copyright (c) Duende Software. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
-using Duende.IdentityModel;
-
 namespace Duende.IdentityModel.OidcClient.DPoP;
 
 /// <summary>
@@ -26,40 +24,11 @@ public static void SetDPoPProofToken(this HttpRequestMessage request, string? pr
     /// </summary>
     public static string? GetDPoPNonce(this HttpResponseMessage response)
     {
-        return response.Headers
-            .FirstOrDefault(x => string.Equals(OidcConstants.HttpHeaders.DPoPNonce, x.Key, StringComparison.OrdinalIgnoreCase))
-            .Value?.FirstOrDefault();
+        return response.Headers.TryGetValues(OidcConstants.HttpHeaders.DPoPNonce, out var values)
+            ? values.FirstOrDefault()
+            : null;
     }
 
-    ///// <summary>
-    ///// Reads the WWW-Authenticate response header to determine if the respone is in error due to DPoP
-    ///// </summary>
-    //public static bool IsDPoPError(this HttpResponseMessage response)
-    //{
-    //    if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized)
-    //    {
-    //        var header = response.Headers.WwwAuthenticate.Where(x => x.Scheme == OidcConstants.AuthenticationSchemes.AuthorizationHeaderDPoP).FirstOrDefault();
-    //        if (header != null && header.Parameter != null)
-    //        {
-    //            // WWW-Authenticate: DPoP error="use_dpop_nonce"
-    //            var values = header.Parameter.Split(new[] { ',' }, StringSplitOptions.RemoveEmptyEntries);
-    //            var error = values.Select(x =>
-    //            {
-    //                var parts = x.Split(new[] { '=' }, StringSplitOptions.RemoveEmptyEntries);
-    //                if (parts.Length == 2 && parts[0] == OidcConstants.TokenResponse.Error)
-    //                {
-    //                    return parts[1].Trim('"');
-    //                }
-    //                return null;
-    //            }).Where(x => x != null).FirstOrDefault();
-
-    //            return error == OidcConstants.TokenErrors.UseDPoPNonce || error == OidcConstants.TokenErrors.InvalidDPoPProof;
-    //        }
-    //    }
-
-    //    return false;
-    //}
-
     /// <summary>
     /// Returns the URL without any query params
     /// </summary>