From 6405858e70382c0e36208f3c8afee90edf843795 Mon Sep 17 00:00:00 2001
From: Dominick Baier <dbaier@leastprivilege.com>
Date: Tue, 24 Oct 2023 08:38:51 +0200
Subject: [PATCH 1/4] first cut

---
 .github/workflows/ci.yml              | 2 +-
 .github/workflows/codeql-analysis.yml | 2 +-
 Directory.Build.targets               | 6 +++---
 global.json                           | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6a0b0e4e0..6019082d1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,7 +32,7 @@ jobs:
       uses: actions/setup-dotnet@v2
       with:
         dotnet-version: |
-          8.0.100-rc.1.23463.5
+            8.0.100-rc.2.23502.2
     
     - run: dotnet --info
     
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 574d629b5..ba7f7d2e7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -41,7 +41,7 @@ jobs:
       uses: actions/setup-dotnet@v2
       with:
         dotnet-version: |
-          8.0.100-rc.1.23463.5
+            8.0.100-rc.2.23502.2
       
     - run: dotnet --info
 
diff --git a/Directory.Build.targets b/Directory.Build.targets
index 9b369df4a..80caf9e4e 100644
--- a/Directory.Build.targets
+++ b/Directory.Build.targets
@@ -15,9 +15,9 @@
     </PropertyGroup>-->
 
     <PropertyGroup Condition=" '$(TargetFramework)' == 'net8.0'">
-        <FrameworkVersion>8.0.0-rc.1.23421.29</FrameworkVersion>
-        <ExtensionsVersion>8.0.0-rc.1.23419.4</ExtensionsVersion>
-        <EntityFrameworkVersion>8.0.0-rc.1.23419.6</EntityFrameworkVersion>
+        <FrameworkVersion>8.0.0-rc.2.23480.2</FrameworkVersion>
+        <ExtensionsVersion>8.0.0-rc.2.23479.6</ExtensionsVersion>
+        <EntityFrameworkVersion>8.0.0-rc.2.23480.1</EntityFrameworkVersion>
         <WilsonVersion>7.0.0</WilsonVersion>
     </PropertyGroup>
 
diff --git a/global.json b/global.json
index 6ac8dd8f7..3875a9bb3 100644
--- a/global.json
+++ b/global.json
@@ -1,6 +1,6 @@
 {
   "sdk": {
-    "version": "8.0.100-rc.1.23463.5",
+    "version": "8.0.100-rc.2.23502.2",
     "rollForward": "latestMajor",
     "allowPrerelease": true
   }

From 865258667e24a7d78ae672a33c6a534b233768bc Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Wed, 25 Oct 2023 10:20:20 -0500
Subject: [PATCH 2/4] Fix json deserialization test problem

---
 ...ntityServerBuilderExtensionsCryptoTests.cs | 44 ++++++++++---------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/test/IdentityServer.UnitTests/Extensions/IdentityServerBuilderExtensionsCryptoTests.cs b/test/IdentityServer.UnitTests/Extensions/IdentityServerBuilderExtensionsCryptoTests.cs
index 320e1c61a..458844222 100644
--- a/test/IdentityServer.UnitTests/Extensions/IdentityServerBuilderExtensionsCryptoTests.cs
+++ b/test/IdentityServer.UnitTests/Extensions/IdentityServerBuilderExtensionsCryptoTests.cs
@@ -21,20 +21,22 @@ public void AddSigningCredential_with_json_web_key_containing_asymmetric_key_sho
         IServiceCollection services = new ServiceCollection();
         IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
 
-        String json =
-            @"{
-                ""alg"" : ""RS256"",
-                ""kty"" : ""RSA"",
-                ""use"" : ""sig"",
-                ""d"" : ""KGGNkbbgm2hNMqW6fP1fmcWwEBy77WOJIPAXnDJ0KxNTtqDF8K5ULj7EElHO1A8ZnNl1Ey/x//G9lJCOQUU9wmj010dOSsW0NBbR5NtRtLLuVbkVdyft53PGeTQs+1S3c51fz9jojtNqmlfXSANPFOH6QhxmzpTx3KLsf/TpCzblkSrEGOOqCCvVdl7ybTcB230jNhh3JoL7po1rvxKtoOM4a/Bs0NtKj7e+VaHcf0GLnBPJYetsHu43ZfNejJeDoouaXZzeVEklY3B0pe10OTCIOu0JUKGZxNekklRIo1WSEYdL+CJfrSKWIv8bLj6xSr5zrASvWODyH443LN6ZvQ=="",
-                ""e"" : ""AQAB"",
-                ""n"" : ""q7mZfquRq8tzg/5slbNdQmrosNN/mFXS25dbSPm11qEDCgZa452KkO8+hvMtqa92QaqdlmalSF8+FRDOz3grDR5NtmnXZxuKnp+raKfzpC6hCvh2JSIe/J9enmsMM4YeI4d1FOSDwhJlZIYMdMnqG/VJtO1LSHjOaF3XN31ANKF0nPAsmr2/WysiQlxnxxiikLEnsFuNdS615ODDXFGTQ1E+zc4zVur4/Ox0cllPwHPA4PqoIgdPJPL+xM9IOIXuAGtsp4CYoxT6VWaRrALIZXXDY806WGTuctq4KKot6FGL9HQte2hRLl4E/r8SzIK86U3wRwrBe7saK+XUXoP0gQ="",
-		        ""p"" :	""25dkucyCSqxRcJpRrhl7PXqw7wqBZeLQgYlZLpK493PdM8pFfq+/LK1hFtxIjdFKqXS/TOikB4YCBMEH0Im3HZ8Lo0dub3SWNhdegJyRjMbcoO+A9YSODEj7DFaNpZtdmtDi1n6etJm66ctPSR20NNpzoYZuaJ92fVQiKiOh6Qs="",
-                ""q"" : ""yDKBrS8l1DOx4dwP9hdwhqZJ3XahidiIZSL7m46I/6+cjaki/1mtNiA60MOgqTKegP7Fo7jAYvliqQwnvVGmQvLv19cfKywlIuKN9DdkLHnKh75hfo7aakEbO7GJ5zVgsNnKOdf8wvpclfvIuRDEVva4cksPzsJy6K7C8ENCSCM="",
-                ""dp"" :  ""GlYJ6o6wgawxCEQ5z5uWwETau5CS/Fk7kI2ceI14SZVHzlJQC2WglAcnQcqhmQCk57Xsy5iLM6vKyi8sdMJPh+nvR2HlyNA+w7YBy4L7odqn01VmLgv7zVVjZpNq4ZXEoDC1Q+xjtF1LoYaUt7wsRLp+a7znuPyHBXj1sAAeBwk="",
-                ""dq"" :  ""W8OK3S83T8VCTBzq1Ap6cb3XLcQq11yBaJpYaj0zXr/IKsbUW+dnFeBAFWEWS3gAX3Bod1tAFB3rs0D3FjhO1XE1ruHUT520iAEAwGiDaj+JLh994NzqELo3GW2PoIM/BtFNeKYgHd9UgQsgPnQJCzOb6Aev/z3yHeW9RRQPVbE="",
-                ""qi"" :  ""w4KdmiDN1GtK71JxaasqmEKPNfV3v2KZDXKnfyhUsdx/idKbdTVjvMOkxFPJ4FqV4yIVn06f3QHTm4NEG18Diqxsrzd6kXQIHOa858tLsCcmt9FoGfrgCFgVceh3K/Zah/r8rl9Y61u0Z1kZumwMvFpFE+mVU01t9HgTEAVkHTc="",
-            }";
+        var json =
+            """
+            {
+                "alg": "RS256",
+                "kty": "RSA",
+                "use": "sig",
+                "d": "KGGNkbbgm2hNMqW6fP1fmcWwEBy77WOJIPAXnDJ0KxNTtqDF8K5ULj7EElHO1A8ZnNl1Ey/x//G9lJCOQUU9wmj010dOSsW0NBbR5NtRtLLuVbkVdyft53PGeTQs+1S3c51fz9jojtNqmlfXSANPFOH6QhxmzpTx3KLsf/TpCzblkSrEGOOqCCvVdl7ybTcB230jNhh3JoL7po1rvxKtoOM4a/Bs0NtKj7e+VaHcf0GLnBPJYetsHu43ZfNejJeDoouaXZzeVEklY3B0pe10OTCIOu0JUKGZxNekklRIo1WSEYdL+CJfrSKWIv8bLj6xSr5zrASvWODyH443LN6ZvQ==",
+                "e": "AQAB",
+                "n": "q7mZfquRq8tzg/5slbNdQmrosNN/mFXS25dbSPm11qEDCgZa452KkO8+hvMtqa92QaqdlmalSF8+FRDOz3grDR5NtmnXZxuKnp+raKfzpC6hCvh2JSIe/J9enmsMM4YeI4d1FOSDwhJlZIYMdMnqG/VJtO1LSHjOaF3XN31ANKF0nPAsmr2/WysiQlxnxxiikLEnsFuNdS615ODDXFGTQ1E+zc4zVur4/Ox0cllPwHPA4PqoIgdPJPL+xM9IOIXuAGtsp4CYoxT6VWaRrALIZXXDY806WGTuctq4KKot6FGL9HQte2hRLl4E/r8SzIK86U3wRwrBe7saK+XUXoP0gQ=",
+                "p": "25dkucyCSqxRcJpRrhl7PXqw7wqBZeLQgYlZLpK493PdM8pFfq+/LK1hFtxIjdFKqXS/TOikB4YCBMEH0Im3HZ8Lo0dub3SWNhdegJyRjMbcoO+A9YSODEj7DFaNpZtdmtDi1n6etJm66ctPSR20NNpzoYZuaJ92fVQiKiOh6Qs=",
+                "q": "yDKBrS8l1DOx4dwP9hdwhqZJ3XahidiIZSL7m46I/6+cjaki/1mtNiA60MOgqTKegP7Fo7jAYvliqQwnvVGmQvLv19cfKywlIuKN9DdkLHnKh75hfo7aakEbO7GJ5zVgsNnKOdf8wvpclfvIuRDEVva4cksPzsJy6K7C8ENCSCM=",
+                "dp": "GlYJ6o6wgawxCEQ5z5uWwETau5CS/Fk7kI2ceI14SZVHzlJQC2WglAcnQcqhmQCk57Xsy5iLM6vKyi8sdMJPh+nvR2HlyNA+w7YBy4L7odqn01VmLgv7zVVjZpNq4ZXEoDC1Q+xjtF1LoYaUt7wsRLp+a7znuPyHBXj1sAAeBwk=",
+                "dq": "W8OK3S83T8VCTBzq1Ap6cb3XLcQq11yBaJpYaj0zXr/IKsbUW+dnFeBAFWEWS3gAX3Bod1tAFB3rs0D3FjhO1XE1ruHUT520iAEAwGiDaj+JLh994NzqELo3GW2PoIM/BtFNeKYgHd9UgQsgPnQJCzOb6Aev/z3yHeW9RRQPVbE=",
+                "qi": "w4KdmiDN1GtK71JxaasqmEKPNfV3v2KZDXKnfyhUsdx/idKbdTVjvMOkxFPJ4FqV4yIVn06f3QHTm4NEG18Diqxsrzd6kXQIHOa858tLsCcmt9FoGfrgCFgVceh3K/Zah/r8rl9Y61u0Z1kZumwMvFpFE+mVU01t9HgTEAVkHTc="
+            }
+            """;
 
         JsonWebKey jsonWebKey = new JsonWebKey(json);
         SigningCredentials credentials = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);
@@ -48,12 +50,14 @@ public void AddSigningCredential_with_json_web_key_containing_symmetric_key_shou
         IIdentityServerBuilder identityServerBuilder = new IdentityServerBuilder(services);
 
         String json =
-            @"{
-                ""alg"" : ""HS256"",
-                ""kty"" : ""oct"",
-                ""use"" : ""sig"",
-                ""k"" : ""y5FHaQFtC294HLAtPXAcMkxZ5gHzCq24223vSYQUrDuu-3CUw7UzPru-AX30ubeB2IM_gUsNQ80bX22wwSk_3LC6XxYxqeGJZSeoQqHG0VNbaWCVkqeuB_HOiL1-ksPfGT-o8_A_Uv-6zi2NaEOYpnIyff5LpdW__LhiE-bhIenaw7GhoXSAfsGEZfNZpUUOU35NAiN2dv0T5vptb87wkL1I2zLhV0pdLvWsDWgQPINEa8bbCA_mseBYpB1eioZvt0TZbp6CL9tiEoiikYV_F3IutrJ2SOWYtDNFeQ3sbyYP7zTzh9a2eyaM8ca5_q3qosI92AbZ7WpEFLa9cZ_O7g""
-            }";
+            """
+            {
+                "alg" : "HS256",
+                "kty" : "oct",
+                "use" : "sig",
+                "k" : "y5FHaQFtC294HLAtPXAcMkxZ5gHzCq24223vSYQUrDuu-3CUw7UzPru-AX30ubeB2IM_gUsNQ80bX22wwSk_3LC6XxYxqeGJZSeoQqHG0VNbaWCVkqeuB_HOiL1-ksPfGT-o8_A_Uv-6zi2NaEOYpnIyff5LpdW__LhiE-bhIenaw7GhoXSAfsGEZfNZpUUOU35NAiN2dv0T5vptb87wkL1I2zLhV0pdLvWsDWgQPINEa8bbCA_mseBYpB1eioZvt0TZbp6CL9tiEoiikYV_F3IutrJ2SOWYtDNFeQ3sbyYP7zTzh9a2eyaM8ca5_q3qosI92AbZ7WpEFLa9cZ_O7g"
+            }
+            """;
 
         JsonWebKey jsonWebKey = new JsonWebKey(json);
         SigningCredentials credentials = new SigningCredentials(jsonWebKey, jsonWebKey.Alg);

From 9c460393781a2769d8f518e66a27bc9df9c55935 Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Wed, 25 Oct 2023 11:11:56 -0500
Subject: [PATCH 3/4] Clean up warnings

---
 .../Endpoints/PushedAuthorizationEndpoint.cs  |  6 ++--
 .../Default/PushedAuthorizationService.cs     |  1 +
 .../DeserializedPushedAuthorizationRequest.cs | 21 +++++++++++--
 .../Default/RequestObjectValidator.cs         | 11 +++++--
 .../Models/JwtRequestValidationResult.cs      |  4 ++-
 .../Stores/ClientStoreTests.cs                |  2 ++
 .../Default/DefaultCorsPolicyServiceTests.cs  | 29 ++++++++---------
 .../InMemory/InMemoryCorsPolicyService.cs     | 31 ++++++++++++-------
 .../Authorize_ProtocolValidation_PAR.cs       |  6 +++-
 9 files changed, 75 insertions(+), 36 deletions(-)

diff --git a/src/IdentityServer/Endpoints/PushedAuthorizationEndpoint.cs b/src/IdentityServer/Endpoints/PushedAuthorizationEndpoint.cs
index 922a67e77..943c7b082 100644
--- a/src/IdentityServer/Endpoints/PushedAuthorizationEndpoint.cs
+++ b/src/IdentityServer/Endpoints/PushedAuthorizationEndpoint.cs
@@ -64,7 +64,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
         var client = await _clientValidator.ValidateAsync(context);
         if(client.IsError)
         {
-            return await CreateErrorResultAsync(
+            return CreateErrorResult(
                 logMessage: "Client secret validation failed",
                 request: null,
                 client.Error,
@@ -75,7 +75,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
         var parValidationResult = await _parValidator.ValidateAsync(new PushedAuthorizationRequestValidationContext(values, client.Client));
         if (parValidationResult.IsError)
         {
-            return await CreateErrorResultAsync(
+            return CreateErrorResult(
                 logMessage: "Pushed authorization validation failed",
                 request: parValidationResult.ValidatedRequest,
                 parValidationResult.Error,
@@ -92,7 +92,7 @@ public async Task<IEndpointResult> ProcessAsync(HttpContext context)
         };
     }
 
-    private async Task<PushedAuthorizationErrorResult> CreateErrorResultAsync(
+    private PushedAuthorizationErrorResult CreateErrorResult(
         string logMessage,
         ValidatedPushedAuthorizationRequest request = null,
         string error = OidcConstants.AuthorizeErrors.ServerError,
diff --git a/src/IdentityServer/Services/Default/PushedAuthorizationService.cs b/src/IdentityServer/Services/Default/PushedAuthorizationService.cs
index 4e97a0813..bc1079910 100644
--- a/src/IdentityServer/Services/Default/PushedAuthorizationService.cs
+++ b/src/IdentityServer/Services/Default/PushedAuthorizationService.cs
@@ -46,6 +46,7 @@ public Task ConsumeAsync(string referenceValue)
         var deserialized = _serializer.Deserialize(par.Parameters);
         return new DeserializedPushedAuthorizationRequest
         {
+            ReferenceValue = referenceValue,
             PushedParameters = deserialized,
             ExpiresAtUtc = par.ExpiresAtUtc
         };
diff --git a/src/IdentityServer/Services/DeserializedPushedAuthorizationRequest.cs b/src/IdentityServer/Services/DeserializedPushedAuthorizationRequest.cs
index 00d014a61..b1f0ebb70 100644
--- a/src/IdentityServer/Services/DeserializedPushedAuthorizationRequest.cs
+++ b/src/IdentityServer/Services/DeserializedPushedAuthorizationRequest.cs
@@ -9,9 +9,24 @@
 
 namespace Duende.IdentityServer.Services;
 
+/// <summary>
+/// A pushed authorization request that is not serialized.
+/// </summary>
 public class DeserializedPushedAuthorizationRequest
 {
-    public string ReferenceValue { get; set; }
-    public NameValueCollection PushedParameters { get; set; }
-    public DateTime ExpiresAtUtc { get; set; }
+    /// <summary>
+    /// The reference value of the pushed authorization request. This is the
+    /// identifier within the request_uri.
+    /// </summary>
+    public required string ReferenceValue { get; set; }
+    
+    /// <summary>
+    /// The pushed parameters. 
+    /// </summary>
+    public required NameValueCollection PushedParameters { get; set; }
+    
+    /// <summary>
+    /// The expiration time.
+    /// </summary>
+    public required DateTime ExpiresAtUtc { get; set; }
 }
diff --git a/src/IdentityServer/Validation/Default/RequestObjectValidator.cs b/src/IdentityServer/Validation/Default/RequestObjectValidator.cs
index 9a3f54f41..e9b7007bc 100644
--- a/src/IdentityServer/Validation/Default/RequestObjectValidator.cs
+++ b/src/IdentityServer/Validation/Default/RequestObjectValidator.cs
@@ -5,7 +5,9 @@
 #nullable enable
 
 using System;
+using System.Collections.Generic;
 using System.Linq;
+using System.Security.Claims;
 using System.Threading.Tasks;
 using Duende.IdentityServer.Configuration;
 using Duende.IdentityServer.Extensions;
@@ -223,6 +225,11 @@ public async Task<AuthorizeRequestValidationResult> ValidateRequestObjectAsync(V
             {
                 LogError("request JWT validation failure", request);
                 return Invalid(request, error: OidcConstants.AuthorizeErrors.InvalidRequestObject, description: "Invalid JWT request");
+            } 
+
+            if(jwtRequestValidationResult.Payload == null)
+            {
+                throw new Exception("JwtRequestValidation succeeded but did not return a payload");
             }
 
             // validate response_type match
@@ -230,7 +237,7 @@ public async Task<AuthorizeRequestValidationResult> ValidateRequestObjectAsync(V
             if (responseType != null)
             {
                 var payloadResponseType =
-                    jwtRequestValidationResult.Payload?.SingleOrDefault(c =>
+                    jwtRequestValidationResult.Payload.SingleOrDefault(c =>
                         c.Type == OidcConstants.AuthorizeRequest.ResponseType)?.Value;
 
                 if (!string.IsNullOrEmpty(payloadResponseType))
@@ -245,7 +252,7 @@ public async Task<AuthorizeRequestValidationResult> ValidateRequestObjectAsync(V
 
             // validate client_id mismatch
             var payloadClientId =
-                jwtRequestValidationResult.Payload?.SingleOrDefault(c =>
+                jwtRequestValidationResult.Payload.SingleOrDefault(c =>
                     c.Type == OidcConstants.AuthorizeRequest.ClientId)?.Value;
 
             if (!string.IsNullOrEmpty(payloadClientId))
diff --git a/src/IdentityServer/Validation/Models/JwtRequestValidationResult.cs b/src/IdentityServer/Validation/Models/JwtRequestValidationResult.cs
index a18796f44..ac1062fda 100644
--- a/src/IdentityServer/Validation/Models/JwtRequestValidationResult.cs
+++ b/src/IdentityServer/Validation/Models/JwtRequestValidationResult.cs
@@ -5,6 +5,7 @@
 #nullable enable
 
 using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
 using System.Security.Claims;
 
 namespace Duende.IdentityServer.Validation;
@@ -15,7 +16,8 @@ namespace Duende.IdentityServer.Validation;
 public class JwtRequestValidationResult : ValidationResult
 {
     /// <summary>
-    /// The key/value pairs from the JWT payload of a successfuly validated request.
+    /// The key/value pairs from the JWT payload of a successfully validated
+    /// request, or null if a validation error occurred.
     /// </summary>
     public IEnumerable<Claim>? Payload { get; set; }
 }
diff --git a/test/EntityFramework.Storage.IntegrationTests/Stores/ClientStoreTests.cs b/test/EntityFramework.Storage.IntegrationTests/Stores/ClientStoreTests.cs
index b2be20f7f..25e6d5502 100644
--- a/test/EntityFramework.Storage.IntegrationTests/Stores/ClientStoreTests.cs
+++ b/test/EntityFramework.Storage.IntegrationTests/Stores/ClientStoreTests.cs
@@ -149,7 +149,9 @@ public async Task FindClientByIdAsync_WhenClientsExistWithManyCollections_Expect
 
             if (await Task.WhenAny(task, Task.Delay(timeout)) == task)
             {
+#pragma warning disable xUnit1031 // Do not use blocking task operations in test method, suppressed because the task must have completed to enter this block
                 var client = task.Result;
+#pragma warning restore xUnit1031 // Do not use blocking task operations in test method
                 client.Should().BeEquivalentTo(testClient);
             }
             else
diff --git a/test/IdentityServer.UnitTests/Services/Default/DefaultCorsPolicyServiceTests.cs b/test/IdentityServer.UnitTests/Services/Default/DefaultCorsPolicyServiceTests.cs
index ac7880443..85b6b9e45 100644
--- a/test/IdentityServer.UnitTests/Services/Default/DefaultCorsPolicyServiceTests.cs
+++ b/test/IdentityServer.UnitTests/Services/Default/DefaultCorsPolicyServiceTests.cs
@@ -3,6 +3,7 @@
 
 
 using System;
+using System.Threading.Tasks;
 using Duende.IdentityServer.Services;
 using FluentAssertions;
 using UnitTests.Common;
@@ -23,54 +24,54 @@ public DefaultCorsPolicyServiceTests()
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_null_param_ReturnsFalse()
+    public async Task IsOriginAllowed_null_param_ReturnsFalse()
     {
-        subject.IsOriginAllowedAsync(null).Result.Should().Be(false);
-        subject.IsOriginAllowedAsync(String.Empty).Result.Should().Be(false);
-        subject.IsOriginAllowedAsync("    ").Result.Should().Be(false);
+        (await subject.IsOriginAllowedAsync(null)).Should().Be(false);
+        (await subject.IsOriginAllowedAsync(String.Empty)).Should().Be(false);
+        (await subject.IsOriginAllowedAsync("    ")).Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsAllowed_ReturnsTrue()
+    public async Task IsOriginAllowed_OriginIsAllowed_ReturnsTrue()
     {
         subject.AllowedOrigins.Add("http://foo");
-        subject.IsOriginAllowedAsync("http://foo").Result.Should().Be(true);
+        (await subject.IsOriginAllowedAsync("http://foo")).Should().Be(true);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsNotAllowed_ReturnsFalse()
+    public async Task IsOriginAllowed_OriginIsNotAllowed_ReturnsFalse()
     {
         subject.AllowedOrigins.Add("http://foo");
-        subject.IsOriginAllowedAsync("http://bar").Result.Should().Be(false);
+        (await subject.IsOriginAllowedAsync("http://bar")).Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsInAllowedList_ReturnsTrue()
+    public async Task IsOriginAllowed_OriginIsInAllowedList_ReturnsTrue()
     {
         subject.AllowedOrigins.Add("http://foo");
         subject.AllowedOrigins.Add("http://bar");
         subject.AllowedOrigins.Add("http://baz");
-        subject.IsOriginAllowedAsync("http://bar").Result.Should().Be(true);
+        (await subject.IsOriginAllowedAsync("http://bar")).Should().Be(true);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_OriginIsNotInAllowedList_ReturnsFalse()
+    public async Task IsOriginAllowed_OriginIsNotInAllowedList_ReturnsFalse()
     {
         subject.AllowedOrigins.Add("http://foo");
         subject.AllowedOrigins.Add("http://bar");
         subject.AllowedOrigins.Add("http://baz");
-        subject.IsOriginAllowedAsync("http://quux").Result.Should().Be(false);
+        (await subject.IsOriginAllowedAsync("http://quux")).Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void IsOriginAllowed_AllowAllTrue_ReturnsTrue()
+    public async Task IsOriginAllowed_AllowAllTrue_ReturnsTrue()
     {
         subject.AllowAll = true;
-        subject.IsOriginAllowedAsync("http://foo").Result.Should().Be(true);
+        (await subject.IsOriginAllowedAsync("http://foo")).Should().Be(true);
     }
 }
\ No newline at end of file
diff --git a/test/IdentityServer.UnitTests/Services/InMemory/InMemoryCorsPolicyService.cs b/test/IdentityServer.UnitTests/Services/InMemory/InMemoryCorsPolicyService.cs
index a29140315..f7780ea94 100644
--- a/test/IdentityServer.UnitTests/Services/InMemory/InMemoryCorsPolicyService.cs
+++ b/test/IdentityServer.UnitTests/Services/InMemory/InMemoryCorsPolicyService.cs
@@ -3,6 +3,7 @@
 
 
 using System.Collections.Generic;
+using System.Threading.Tasks;
 using Duende.IdentityServer.Models;
 using Duende.IdentityServer.Services;
 using FluentAssertions;
@@ -25,7 +26,7 @@ public InMemoryCorsPolicyServiceTests()
 
     [Fact]
     [Trait("Category", Category)]
-    public void client_has_origin_should_allow_origin()
+    public async Task client_has_origin_should_allow_origin()
     {
         _clients.Add(new Client
         {
@@ -35,7 +36,8 @@ public void client_has_origin_should_allow_origin()
             }
         });
 
-        _subject.IsOriginAllowedAsync("http://foo").Result.Should().BeTrue();
+        var result = await _subject.IsOriginAllowedAsync("http://foo");
+        result.Should().BeTrue();
     }
 
     [Theory]
@@ -43,7 +45,7 @@ public void client_has_origin_should_allow_origin()
     [InlineData("https://bar")]
     [InlineData("http://bar-baz")]
     [Trait("Category", Category)]
-    public void client_does_not_has_origin_should_not_allow_origin(string clientOrigin)
+    public async Task client_does_not_has_origin_should_not_allow_origin(string clientOrigin)
     {
         _clients.Add(new Client
         {
@@ -52,12 +54,13 @@ public void client_does_not_has_origin_should_not_allow_origin(string clientOrig
                 clientOrigin
             }
         });
-        _subject.IsOriginAllowedAsync("http://bar").Result.Should().Be(false);
+        var result = await _subject.IsOriginAllowedAsync("http://bar");
+        result.Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void client_has_many_origins_and_origin_is_in_list_should_allow_origin()
+    public async Task client_has_many_origins_and_origin_is_in_list_should_allow_origin()
     {
         _clients.Add(new Client
         {
@@ -68,12 +71,13 @@ public void client_has_many_origins_and_origin_is_in_list_should_allow_origin()
                 "http://baz"
             }
         });
-        _subject.IsOriginAllowedAsync("http://bar").Result.Should().Be(true);
+        var result = await _subject.IsOriginAllowedAsync("http://bar");
+        result.Should().Be(true);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void client_has_many_origins_and_origin_is_in_not_list_should_not_allow_origin()
+    public async Task client_has_many_origins_and_origin_is_in_not_list_should_not_allow_originAsync()
     {
         _clients.Add(new Client
         {
@@ -84,12 +88,13 @@ public void client_has_many_origins_and_origin_is_in_not_list_should_not_allow_o
                 "http://baz"
             }
         });
-        _subject.IsOriginAllowedAsync("http://quux").Result.Should().Be(false);
+        var result = await _subject.IsOriginAllowedAsync("http://quux");
+        result.Should().Be(false);
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void many_clients_have_same_origins_should_allow_origin()
+    public async Task many_clients_have_same_origins_should_allow_originAsync()
     {
         _clients.AddRange(new Client[] {
             new Client
@@ -107,12 +112,13 @@ public void many_clients_have_same_origins_should_allow_origin()
                 }
             }
         });
-        _subject.IsOriginAllowedAsync("http://foo").Result.Should().BeTrue();
+        var result = await _subject.IsOriginAllowedAsync("http://foo");
+        result.Should().BeTrue();
     }
 
     [Fact]
     [Trait("Category", Category)]
-    public void handle_invalid_cors_origin_format_exception()
+    public async Task handle_invalid_cors_origin_format_exceptionAsync()
     {
         _clients.AddRange(new Client[] {
             new Client
@@ -132,6 +138,7 @@ public void handle_invalid_cors_origin_format_exception()
                 }
             }
         });
-        _subject.IsOriginAllowedAsync("http://bar").Result.Should().BeTrue();
+        var result = await _subject.IsOriginAllowedAsync("http://bar");
+        result.Should().BeTrue();
     }
 }
\ No newline at end of file
diff --git a/test/IdentityServer.UnitTests/Validation/AuthorizeRequest Validation/Authorize_ProtocolValidation_PAR.cs b/test/IdentityServer.UnitTests/Validation/AuthorizeRequest Validation/Authorize_ProtocolValidation_PAR.cs
index 620e68a34..1d3b0b08c 100644
--- a/test/IdentityServer.UnitTests/Validation/AuthorizeRequest Validation/Authorize_ProtocolValidation_PAR.cs	
+++ b/test/IdentityServer.UnitTests/Validation/AuthorizeRequest Validation/Authorize_ProtocolValidation_PAR.cs	
@@ -29,6 +29,8 @@ public void par_should_bind_client_to_pushed_request()
         var initiallyPushedClientId = "clientId1";
         var par = new DeserializedPushedAuthorizationRequest
         {
+            ReferenceValue = Guid.NewGuid().ToString(),
+            ExpiresAtUtc = DateTime.UtcNow.AddMinutes(5),
             PushedParameters = new NameValueCollection
             {
                 { OidcConstants.AuthorizeRequest.ClientId, initiallyPushedClientId }
@@ -55,7 +57,9 @@ public void expired_par_requests_should_fail()
         var authorizeRequest = new ValidatedAuthorizeRequest();
         var par = new DeserializedPushedAuthorizationRequest
         {
-            ExpiresAtUtc = DateTime.UtcNow.AddSeconds(-1)
+            ReferenceValue = Guid.NewGuid().ToString(),
+            ExpiresAtUtc = DateTime.UtcNow.AddSeconds(-1),
+            PushedParameters = new NameValueCollection()
         };
 
         var validator = Factory.CreateRequestObjectValidator();

From 15e7cd4c8b77d86f287a88ec6e238206e453fe5b Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Wed, 25 Oct 2023 11:21:42 -0500
Subject: [PATCH 4/4] Clean up 2 more warnings

---
 .../Services/CorsPolicyServiceTests.cs                   | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/test/EntityFramework.Tests/Services/CorsPolicyServiceTests.cs b/test/EntityFramework.Tests/Services/CorsPolicyServiceTests.cs
index 67649c63f..de38a082d 100644
--- a/test/EntityFramework.Tests/Services/CorsPolicyServiceTests.cs
+++ b/test/EntityFramework.Tests/Services/CorsPolicyServiceTests.cs
@@ -12,6 +12,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Threading.Tasks;
 using Xunit;
 
 namespace Tests.Services;
@@ -28,7 +29,7 @@ public CorsPolicyServiceTests(DatabaseProviderFixture<ConfigurationDbContext> fi
     }
 
     [Theory, MemberData(nameof(TestDatabaseProviders))]
-    public void IsOriginAllowedAsync_WhenOriginIsAllowed_ExpectTrue(DbContextOptions<ConfigurationDbContext> options)
+    public async Task IsOriginAllowedAsync_WhenOriginIsAllowed_ExpectTrue(DbContextOptions<ConfigurationDbContext> options)
     {
         const string testCorsOrigin = "https://identityserver.io/";
 
@@ -53,14 +54,14 @@ public void IsOriginAllowedAsync_WhenOriginIsAllowed_ExpectTrue(DbContextOptions
         using (var context = new ConfigurationDbContext(options))
         {
             var service = new CorsPolicyService(context, FakeLogger<CorsPolicyService>.Create(), new NoneCancellationTokenProvider());
-            result = service.IsOriginAllowedAsync(testCorsOrigin).Result;
+            result = await service.IsOriginAllowedAsync(testCorsOrigin);
         }
 
         Assert.True(result);
     }
 
     [Theory, MemberData(nameof(TestDatabaseProviders))]
-    public void IsOriginAllowedAsync_WhenOriginIsNotAllowed_ExpectFalse(DbContextOptions<ConfigurationDbContext> options)
+    public async Task IsOriginAllowedAsync_WhenOriginIsNotAllowed_ExpectFalse(DbContextOptions<ConfigurationDbContext> options)
     {
         using (var context = new ConfigurationDbContext(options))
         {
@@ -77,7 +78,7 @@ public void IsOriginAllowedAsync_WhenOriginIsNotAllowed_ExpectFalse(DbContextOpt
         using (var context = new ConfigurationDbContext(options))
         {
             var service = new CorsPolicyService(context, FakeLogger<CorsPolicyService>.Create(), new NoneCancellationTokenProvider());
-            result = service.IsOriginAllowedAsync("InvalidOrigin").Result;
+            result = await service.IsOriginAllowedAsync("InvalidOrigin");
         }
 
         Assert.False(result);