DuendeSoftware · brockallen · Nov 7, 2023 · Nov 6, 2023 · Nov 6, 2023 · Nov 7, 2023
diff --git a/hosts/main/Program.cs.bak b/hosts/main/Program.cs.bak
diff --git a/src/IdentityServer/Licensing/IdentityServerLicense.cs b/src/IdentityServer/Licensing/IdentityServerLicense.cs
@@ -42,6 +42,16 @@ internal override void Initialize(ClaimsPrincipal claims)
                 KeyManagementFeature = true;
                 break;
         }
+
+        ParFeature = claims.HasClaim("feature", "par");
+        switch (Edition)
+        {
+            case LicenseEdition.Enterprise:
+            case LicenseEdition.Business:
+            case LicenseEdition.Community:
+                ParFeature = true;
+                break;
+        }
 
         ResourceIsolationFeature = claims.HasClaim("feature", "resource_isolation");
         switch (Edition)
@@ -167,6 +177,10 @@ internal override void Initialize(ClaimsPrincipal claims)
     /// </summary>
     public bool KeyManagementFeature { get; set; }
     /// <summary>
+    /// PAR
+    /// </summary>
+    public bool ParFeature { get; set; }
+    /// <summary>
     /// Resource isolation
     /// </summary>
     public bool ResourceIsolationFeature { get; set; }

diff --git a/src/IdentityServer/Licensing/IdentityServerLicenseValidator.cs b/src/IdentityServer/Licensing/IdentityServerLicenseValidator.cs
@@ -175,6 +175,24 @@ public void ValidateResourceIndicators(string resourceIndicator)
             }
         }
     }
+
+    bool ValidateParWarned = false;
+    public void ValidatePar()
+    {
+        if(License != null)
+        {
+            if(!License.ParFeature)
+            {
+                throw new Exception("A request was made to the pushed authorization endpoint. Your license of Duende IdentityServer does not permit pushed authorization. This features requires the Business Edition or higher tier of license.");
+            }
+        }
+        else if (!ValidateParWarned)
+        {
+            ValidateParWarned = true;
+            WarningLog?.Invoke("A request was made to the pushed authorization endpoint, but you do not have a license. This feature requires the Business Edition or higher tier of license.", Array.Empty<object>());
+        }
+    }
+
     public void ValidateResourceIndicators(IEnumerable<string> resourceIndicators)
     {
         if (resourceIndicators?.Any() == true)

diff --git a/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs b/src/IdentityServer/Validation/Default/PushedAuthorizationRequestValidator.cs
@@ -16,7 +16,7 @@ namespace Duende.IdentityServer.Validation;
 /// cref="IAuthorizeRequestValidator"/> to validate the pushed parameters as if
 /// they had been sent to the authorize endpoint directly. 
 /// </summary>
-public class PushedAuthorizationRequestValidator : IPushedAuthorizationRequestValidator
+internal class PushedAuthorizationRequestValidator : IPushedAuthorizationRequestValidator
 {
 
     private readonly IAuthorizeRequestValidator _authorizeRequestValidator;
@@ -36,6 +36,7 @@ public PushedAuthorizationRequestValidator(IAuthorizeRequestValidator authorizeR
     /// <inheritdoc />
     public async Task<PushedAuthorizationValidationResult> ValidateAsync(PushedAuthorizationRequestValidationContext context)
     {
+        IdentityServerLicenseValidator.Instance.ValidatePar();
         var validatedRequest = await ValidateRequestUriAsync(context);
         if(validatedRequest.IsError)
         {
@@ -63,7 +64,7 @@ public async Task<PushedAuthorizationValidationResult> ValidateAsync(PushedAutho
     /// context.</param>
     /// <returns>A task containing the <see
     /// cref="PushedAuthorizationValidationResult"/>.</returns>
-    protected virtual Task<PushedAuthorizationValidationResult> ValidateRequestUriAsync(PushedAuthorizationRequestValidationContext context)
+    private Task<PushedAuthorizationValidationResult> ValidateRequestUriAsync(PushedAuthorizationRequestValidationContext context)
     {
         // Reject request_uri parameter
         if (context.RequestParameters.Get(OidcConstants.AuthorizeRequest.RequestUri).IsPresent())

diff --git a/test/IdentityServer.UnitTests/Licensing/IdentityServerLicenseValidatorTests.cs b/test/IdentityServer.UnitTests/Licensing/IdentityServerLicenseValidatorTests.cs
@@ -65,6 +65,7 @@ public void license_should_parse_edition_and_use_default_values()
             //subject.BffFeature.Should().BeTrue();
             subject.RedistributionFeature.Should().BeFalse();
             subject.CibaFeature.Should().BeTrue();
+            subject.ParFeature.Should().BeTrue();
         }
         {
             var subject = new IdentityServerLicense(new Claim("edition", "business"));
@@ -81,6 +82,7 @@ public void license_should_parse_edition_and_use_default_values()
             //subject.BffFeature.Should().BeTrue();
             subject.RedistributionFeature.Should().BeFalse();
             subject.CibaFeature.Should().BeFalse();
+            subject.ParFeature.Should().BeTrue();
         }
         {
             var subject = new IdentityServerLicense(new Claim("edition", "starter"));
@@ -97,6 +99,7 @@ public void license_should_parse_edition_and_use_default_values()
             //subject.BffFeature.Should().BeFalse();
             subject.RedistributionFeature.Should().BeFalse();
             subject.CibaFeature.Should().BeFalse();
+            subject.ParFeature.Should().BeFalse();
         }
         {
             var subject = new IdentityServerLicense(new Claim("edition", "community"));
@@ -113,6 +116,7 @@ public void license_should_parse_edition_and_use_default_values()
             //subject.BffFeature.Should().BeTrue();
             subject.RedistributionFeature.Should().BeFalse();
             subject.CibaFeature.Should().BeTrue();
+            subject.ParFeature.Should().BeTrue();
         }
 
         // BFF
@@ -245,7 +249,8 @@ public void license_should_handle_overrides_for_default_edition_values()
                 new Claim("feature", "dpop"),
                 new Claim("feature", "bff"),
                 new Claim("feature", "ciba"),
-                new Claim("feature", "dynamic_providers"));
+                new Claim("feature", "dynamic_providers"),
+                new Claim("feature", "par"));
             subject.ClientLimit.Should().Be(20);
             subject.IssuerLimit.Should().Be(5);
             subject.KeyManagementFeature.Should().BeTrue();
@@ -257,6 +262,7 @@ public void license_should_handle_overrides_for_default_edition_values()
             subject.DynamicProvidersFeature.Should().BeTrue();
             subject.RedistributionFeature.Should().BeTrue();
             subject.CibaFeature.Should().BeTrue();
+            subject.ParFeature.Should().BeTrue();
         }
         {
             var subject = new IdentityServerLicense(