RevocationEndpoint not processed properly after update to OpenIdConnectConfigurationSerializer

[simona-aveva]

Which version of Duende.AccessTokenManagement are you using?
2.1.0.0
Which version of .NET are you using?
net8.0
Describe the bug
Revocation Endpoint no longer populated correctly after to azure-activedirectory-identitymodel-extensions-for-dotnet
A clear and concise description of what the bug is.
RevocationEndpoint is now in a field in the OpenIdConnectConfiguration, no longer part of the AdditionalData as per this commit -> https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/2abca63b078a0b6b8d0e1b7fab13976387aca168/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Json/OpenIdConnectConfigurationSerializer.cs
This means that the endpoint is not returned when copying to the OpenIdConnectClientConfiguration structure in GetOpenIdConnectConfigurationAsyncOpenIdConnectConfigurationService
return new OpenIdConnectClientConfiguration
{
Scheme = configScheme,

        Authority = options.Authority,
        TokenEndpoint = configuration.TokenEndpoint,
        RevocationEndpoint = configuration.AdditionalData.TryGetValue(OidcConstants.Discovery.RevocationEndpoint, out var value) ? value?.ToString() : null,
        
        ClientId = options.ClientId,
        ClientSecret = options.ClientSecret,
        HttpClient = options.Backchannel,
    };

This then causes an InvalidOperationException to be thrown in UserTokenEndpointService RevokeRefreshTokenAsync.

To Reproduce
Steps to reproduce the behavior.
Configure a revocation endpoint and try to revoke.

Expected behavior

A clear and concise description of what you expected to happen.
RevocationEndpoint is populated correctly and the RevokeRefreshTokenAsync function does not throw an exception.

Log output/exception with stacktrace

InvalidOperationException: Revocation endpoint not configured
Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService.RevokeRefreshTokenAsync(UserToken userToken, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in UserTokenEndpointService.cs
Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService.RevokeRefreshTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in UserAccessTokenManagementService.cs
Microsoft.AspNetCore.Authentication.TokenManagementHttpContextExtensions.RevokeRefreshTokenAsync(HttpContext httpContext, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in TokenManagementHttpContextExtensions.cs
Duende.Bff.PostConfigureApplicationCookieRevokeRefreshToken+<>c__DisplayClass5_0+<<CreateCallback>g__Callback|0>d.MoveNext() in PostConfigureApplicationCookieRevokeRefreshToken.cs
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler.HandleSignOutAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Duende.Bff.DefaultLogoutService.ProcessRequestAsync(HttpContext context) in DefaultLogoutService.cs
Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
Duende.Bff.Endpoints.BffMiddleware.Invoke(HttpContext context) in BffMiddleware.cs
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
DevStudio.Host.Startup+<>c__DisplayClass9_0+<<Configure>b__1>d.MoveNext() in Startup.cs
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

data

Additional context

Add any other context about the problem here.
I am very happy to produce a PR for this, just not sure about backwards functionailty.

[stashaway]

Any movement on this? I'm experiencing the same bug.

[RolandGuijt]

Most likely this has to do with the fact that you're using Microsoft.IdentityModel.* packages that are newer than the ones we tested. Please make sure that the versions of these packages match with the versions IdentityServer uses. (7.1.2 assuming you're using IdentityServer 7.06)
More information on how to check and fix this here.

[RolandGuijt]

@simona-aveva Did my comment solve the issue for you? If not please feel free to add a comment. If it did I would like to close the issue.

[AntonZhuchkovXOR]

@RolandGuijt

Most likely this has to do with the fact that you're using Microsoft.IdentityModel.* packages that are newer than the ones we tested. Please make sure that the versions of these packages match with the versions IdentityServer uses.

Had the same issue. Yes, seems like upgrading Microsoft.Identity.* and System.IdentityModel.* packages to 8.0.* was a problem.

Downgrading them back to 7.6.0 did the trick.

[simona-aveva]

@RolandGuijt Rather than downgrade I just injected my own version of IOpenIdConnectConfigurationService with RevocationEndpoint = configuration.RevocationEndpoint, so please feel free to close the issue.

[stashaway]

When can we expect Duende to be compatible with version 8 of those packages?

[c5racing]

@RolandGuijt Rather than downgrade I just injected my own version of IOpenIdConnectConfigurationService with RevocationEndpoint = configuration.RevocationEndpoint, so please feel free to close the issue.

Can you provide an example of exactly what you/'ve done @RolandGuijt? I'm having the same issue

[AndersAbel]

@stashaway For a given version of Asp.Net Core, Duende Software follows the Microsoft.IdentityModel.* version of the Microsoft.AspNetCore.Authentication.OpenIdConnect package. Asp.Net Core 8 (running on .NET 8) uses version 7.x of Microsoft.IdentityModel.*. Asp.Net Core 9 (running on .NET 9) uses version 8.x of the Microsoft.IdentityModel.* packages. Version 7.1 of IdentityServer (currently in preview) introduces .NET 9 targeting and will use Microsoft.IdentityModel.* for the .NET 9 target.

There is an issue to track work for .NET 9 compatibilty for the access token management library: DuendeSoftware/foss#51

@c5racing did you intend to ping @simona-aveva with your comment?

[c5racing]

Thank you @stashaway, I did indeed tag the wrong person, I meant @simona-aveva. Thank you for the explanation. We are in the midst of upgrading and refactoring for .NET9. We have upgraded to Identity Server Version 7.1 and still encounter this same issue.

[simona-aveva]

@c5racing I injected my own version of IOpenIdConnectConfigurationService (basically a copy of https://github.com/DuendeSoftware/Duende.AccessTokenManagement/blob/main/src/Duende.AccessTokenManagement.OpenIdConnect/OpenIdConnectConfigurationService.cs) before adding Bff services in Startup.cs and then simply changed the code in GetOpenIdConnectConfigurationAsync as such:

    return new OpenIdConnectClientConfiguration
    {
        Scheme = configScheme,

        Authority = options.Authority,
        TokenEndpoint = configuration.TokenEndpoint,

        // https://github.com/DuendeSoftware/Support/issues/1373
        RevocationEndpoint = configuration.RevocationEndpoint,

        ClientId = options.ClientId,
        ClientSecret = options.ClientSecret,
        HttpClient = options.Backchannel,
    };

Hope this helps.