From f4872555fc6ac405eadf88bf52590d1a7bd8085f Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Wed, 29 Nov 2023 13:15:41 +0100 Subject: [PATCH 1/2] Remove support for Client Secret and HS256 (#304) --- src/Auth0.OidcClient.Core/Auth0ClientBase.cs | 5 ----- src/Auth0.OidcClient.Core/Auth0ClientOptions.cs | 7 ------- src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs | 4 ++-- 3 files changed, 2 insertions(+), 14 deletions(-) diff --git a/src/Auth0.OidcClient.Core/Auth0ClientBase.cs b/src/Auth0.OidcClient.Core/Auth0ClientBase.cs index e0565bd8..a93bdcd4 100644 --- a/src/Auth0.OidcClient.Core/Auth0ClientBase.cs +++ b/src/Auth0.OidcClient.Core/Auth0ClientBase.cs @@ -170,11 +170,6 @@ private OidcClientOptions CreateOidcClientOptions(Auth0ClientOptions options) } }; -#pragma warning disable CS0618 // ClientSecret will be removed in a future update. - if (!String.IsNullOrWhiteSpace(oidcClientOptions.ClientSecret)) - oidcClientOptions.ClientSecret = options.ClientSecret; -#pragma warning restore CS0618 - if (options.RefreshTokenMessageHandler != null) oidcClientOptions.RefreshTokenInnerHttpHandler = options.RefreshTokenMessageHandler; diff --git a/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs b/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs index 1ce4423f..29cf2fb8 100644 --- a/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs +++ b/src/Auth0.OidcClient.Core/Auth0ClientOptions.cs @@ -21,13 +21,6 @@ public class Auth0ClientOptions /// public string ClientId { get; set; } - /// - /// Your Auth0 Client Secret. - /// - [Obsolete("Client Secrets should not be used in non-confidential clients such as native desktop and mobile apps. " + - "This property will be removed in a future release.")] - public string ClientSecret { get; set; } - /// /// Your Auth0 tenant domain. /// diff --git a/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs b/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs index d01a5103..778516c6 100644 --- a/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs +++ b/src/Auth0.OidcClient.Core/Tokens/IdTokenValidator.cs @@ -41,8 +41,8 @@ internal async Task AssertTokenMeetsRequirements(IdTokenRequirements required, s var token = DecodeToken(rawIDToken); - // For now we want to support HS256 + ClientSecret as we just had a major release. - // TODO: In the next major (v4.0) we should remove this condition as well as Auth0ClientOptions.ClientSecret + // Signature Verification is optional because the token endpoint is over HTTPS. + // As we allow HS256 signed Id token, but we do not have a Client Secret we skip signature verification for HS256. if (token.SignatureAlgorithm != "HS256") (signatureVerifier ?? await assymetricSignatureVerifier.ForJwks(required.Issuer)).VerifySignature(rawIDToken); From bb4b1daa5cfc26c74e9dc6587e59bdb9fe5ca42b Mon Sep 17 00:00:00 2001 From: Frederik Prijck Date: Tue, 5 Dec 2023 07:25:16 +0100 Subject: [PATCH 2/2] Drop support for WebView for WPF and Winforms and default to WebView2 (#308) --- nuget/Auth0.OidcClient.WPF.nuspec | 4 ++-- nuget/Auth0.OidcClient.WinForms.nuspec | 4 ++-- .../Auth0.OidcClient.WPF.csproj | 4 +--- src/Auth0.OidcClient.WPF/WebViewBrowser.cs | 16 ++-------------- .../Auth0.OidcClient.WinForms.csproj | 4 +--- src/Auth0.OidcClient.WinForms/WebViewBrowser.cs | 16 ++-------------- 6 files changed, 10 insertions(+), 38 deletions(-) diff --git a/nuget/Auth0.OidcClient.WPF.nuspec b/nuget/Auth0.OidcClient.WPF.nuspec index 105b3ff8..62e7a35a 100644 --- a/nuget/Auth0.OidcClient.WPF.nuspec +++ b/nuget/Auth0.OidcClient.WPF.nuspec @@ -127,11 +127,11 @@ - + - + diff --git a/nuget/Auth0.OidcClient.WinForms.nuspec b/nuget/Auth0.OidcClient.WinForms.nuspec index 6f67164c..d7faf9f8 100644 --- a/nuget/Auth0.OidcClient.WinForms.nuspec +++ b/nuget/Auth0.OidcClient.WinForms.nuspec @@ -120,11 +120,11 @@ - + - + diff --git a/src/Auth0.OidcClient.WPF/Auth0.OidcClient.WPF.csproj b/src/Auth0.OidcClient.WPF/Auth0.OidcClient.WPF.csproj index 6bd023f2..5173e8b1 100644 --- a/src/Auth0.OidcClient.WPF/Auth0.OidcClient.WPF.csproj +++ b/src/Auth0.OidcClient.WPF/Auth0.OidcClient.WPF.csproj @@ -31,9 +31,7 @@ - - 6.1.2 - + diff --git a/src/Auth0.OidcClient.WPF/WebViewBrowser.cs b/src/Auth0.OidcClient.WPF/WebViewBrowser.cs index b9a77409..ff6cd8cd 100644 --- a/src/Auth0.OidcClient.WPF/WebViewBrowser.cs +++ b/src/Auth0.OidcClient.WPF/WebViewBrowser.cs @@ -1,9 +1,5 @@ using IdentityModel.OidcClient.Browser; -#if NET6_0 -using WebViewCompatible = Microsoft.Web.WebView2.Wpf.WebView2; -#else -using Microsoft.Toolkit.Wpf.UI.Controls; -#endif +using Microsoft.Web.WebView2.Wpf; using System; using System.Threading; using System.Threading.Tasks; @@ -54,16 +50,12 @@ public async Task InvokeAsync(BrowserOptions options, Cancellatio var window = _windowFactory(); #pragma warning disable 618 - var webView = new WebViewCompatible(); + var webView = new WebView2(); window.Content = webView; webView.NavigationStarting += (sender, e) => { -#if NET6_0 if (e.Uri.StartsWith(options.EndUrl)) -#else - if (e.Uri.AbsoluteUri.StartsWith(options.EndUrl)) -#endif { tcs.SetResult(new BrowserResult { ResultType = BrowserResultType.Success, Response = e.Uri.ToString() }); if (_shouldCloseWindow) @@ -82,12 +74,8 @@ public async Task InvokeAsync(BrowserOptions options, Cancellatio window.Show(); -#if NET6_0 await webView.EnsureCoreWebView2Async(); webView.CoreWebView2.Navigate(options.StartUrl); -#else - webView.Navigate(options.StartUrl); -#endif return await tcs.Task; } diff --git a/src/Auth0.OidcClient.WinForms/Auth0.OidcClient.WinForms.csproj b/src/Auth0.OidcClient.WinForms/Auth0.OidcClient.WinForms.csproj index c4e88149..3abfb09e 100644 --- a/src/Auth0.OidcClient.WinForms/Auth0.OidcClient.WinForms.csproj +++ b/src/Auth0.OidcClient.WinForms/Auth0.OidcClient.WinForms.csproj @@ -31,9 +31,7 @@ - - 6.1.2 - + diff --git a/src/Auth0.OidcClient.WinForms/WebViewBrowser.cs b/src/Auth0.OidcClient.WinForms/WebViewBrowser.cs index bc654290..0c42b65a 100644 --- a/src/Auth0.OidcClient.WinForms/WebViewBrowser.cs +++ b/src/Auth0.OidcClient.WinForms/WebViewBrowser.cs @@ -1,9 +1,5 @@ using IdentityModel.OidcClient.Browser; -#if NET6_0 -using WebViewCompatible = Microsoft.Web.WebView2.WinForms.WebView2; -#else -using Microsoft.Toolkit.Forms.UI.Controls; -#endif +using Microsoft.Web.WebView2.WinForms; using System; using System.Threading; using System.Threading.Tasks; @@ -52,15 +48,11 @@ public async Task InvokeAsync(BrowserOptions options, Cancellatio var window = _formFactory(); #pragma warning disable 618 - var webView = new WebViewCompatible { Dock = DockStyle.Fill }; + var webView = new WebView2 { Dock = DockStyle.Fill }; webView.NavigationStarting += (sender, e) => { -#if NET6_0 if (e.Uri.StartsWith(options.EndUrl)) -#else - if (e.Uri.AbsoluteUri.StartsWith(options.EndUrl)) -#endif { tcs.SetResult(new BrowserResult { ResultType = BrowserResultType.Success, Response = e.Uri.ToString() }); window.Close(); @@ -77,12 +69,8 @@ public async Task InvokeAsync(BrowserOptions options, Cancellatio window.Show(); -#if NET6_0 await webView.EnsureCoreWebView2Async(); webView.CoreWebView2.Navigate(options.StartUrl); -#else - webView.Navigate(options.StartUrl); -#endif return await tcs.Task; }