From 81cc5faa6adbd4d83776bca291f671e864495889 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 20 Feb 2026 14:14:36 +0000
Subject: [PATCH 1/5] [deps] Auth: Update Duende.IdentityServer to 7.4.6
---
src/Core/Core.csproj | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/Core/Core.csproj b/src/Core/Core.csproj
index 54a8a0483fb2..62daa4b38f01 100644
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -54,7 +54,7 @@
-
+
From bcd8414af4622b1571948d6b249f7515633709ca Mon Sep 17 00:00:00 2001
From: Ike Kottlowski
Date: Tue, 3 Mar 2026 23:03:15 -0500
Subject: [PATCH 2/5] fix: address test changes required to complete the update
---
src/Identity/Utilities/DiscoveryResponseGenerator.cs | 6 ++++++
.../Endpoints/IdentityServerSsoTests.cs | 2 +-
.../Endpoints/IdentityServerTwoFactorTests.cs | 2 +-
test/Identity.IntegrationTest/openid-configuration.json | 5 +----
4 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/src/Identity/Utilities/DiscoveryResponseGenerator.cs b/src/Identity/Utilities/DiscoveryResponseGenerator.cs
index 58d9252f2ddf..9e451be8ac2a 100644
--- a/src/Identity/Utilities/DiscoveryResponseGenerator.cs
+++ b/src/Identity/Utilities/DiscoveryResponseGenerator.cs
@@ -29,6 +29,12 @@ public override async Task> CreateDiscoveryDocumentAs
string baseUrl, string issuerUri)
{
var dict = await base.CreateDiscoveryDocumentAsync(baseUrl, issuerUri);
+
+ // Remove metadata for endpoints/features we don't support
+ dict.Remove("revocation_endpoint_auth_methods_supported");
+ dict.Remove("introspection_endpoint_auth_methods_supported");
+ dict.Remove("backchannel_authentication_request_signing_alg_values_supported");
+
return CoreHelpers.AdjustIdentityServerConfig(dict, _globalSettings.BaseServiceUri.Identity,
_globalSettings.BaseServiceUri.InternalIdentity);
}
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
index 1ed2cac17ac8..fac02095592b 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerSsoTests.cs
@@ -642,7 +642,7 @@ await ssoConfigRepository.CreateAsync(new SsoConfig
new Claim("organizationId", organization.Id.ToString()),
new Claim(JwtClaimTypes.SessionId, "SOMETHING"),
new Claim(JwtClaimTypes.AuthenticationMethod, "external"),
- new Claim(JwtClaimTypes.AuthenticationTime, DateTime.UtcNow.AddMinutes(-1).ToEpochTime().ToString())
+ new Claim(JwtClaimTypes.AuthenticationTime, new DateTimeOffset(DateTime.UtcNow.AddMinutes(-1)).ToUnixTimeSeconds().ToString())
}, "Duende.IdentityServer", JwtClaimTypes.Name, JwtClaimTypes.Role));
authorizationCode.Subject = subject;
diff --git a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
index a04b8acf1908..354fcb25cea3 100644
--- a/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
+++ b/test/Identity.IntegrationTest/Endpoints/IdentityServerTwoFactorTests.cs
@@ -504,7 +504,7 @@ await ssoConfigRepository.CreateAsync(new SsoConfig
new Claim("organizationId", organization.Id.ToString()),
new Claim(JwtClaimTypes.SessionId, "SOMETHING"),
new Claim(JwtClaimTypes.AuthenticationMethod, "external"),
- new Claim(JwtClaimTypes.AuthenticationTime, DateTime.UtcNow.AddMinutes(-1).ToEpochTime().ToString())
+ new Claim(JwtClaimTypes.AuthenticationTime, new DateTimeOffset(DateTime.UtcNow.AddMinutes(-1)).ToUnixTimeSeconds().ToString())
], "Duende.IdentityServer", JwtClaimTypes.Name, JwtClaimTypes.Role));
authorizationCode.Subject = subject;
diff --git a/test/Identity.IntegrationTest/openid-configuration.json b/test/Identity.IntegrationTest/openid-configuration.json
index 96014764bd7b..739d7226065b 100644
--- a/test/Identity.IntegrationTest/openid-configuration.json
+++ b/test/Identity.IntegrationTest/openid-configuration.json
@@ -75,10 +75,7 @@
"PS512",
"ES256",
"ES384",
- "ES512",
- "HS256",
- "HS384",
- "HS512"
+ "ES512"
],
"prompt_values_supported": ["none", "login", "consent", "select_account"],
"authorization_response_iss_parameter_supported": true,
From af9d57d7afecbb68cf604ad57cbcb0991cb29784 Mon Sep 17 00:00:00 2001
From: Ike Kottlowski
Date: Tue, 17 Mar 2026 14:33:58 -0400
Subject: [PATCH 3/5] feat: move Discovery Generateion to CoreHelpers.cs
---
src/Core/Utilities/CoreHelpers.cs | 5 +++++
src/Identity/Utilities/DiscoveryResponseGenerator.cs | 6 ------
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/Core/Utilities/CoreHelpers.cs b/src/Core/Utilities/CoreHelpers.cs
index c6815c31b0ba..d72d78d2badc 100644
--- a/src/Core/Utilities/CoreHelpers.cs
+++ b/src/Core/Utilities/CoreHelpers.cs
@@ -680,6 +680,11 @@ public static bool IsCorsOriginAllowed(string origin, GlobalSettings globalSetti
public static Dictionary AdjustIdentityServerConfig(Dictionary configDict,
string publicServiceUri, string internalServiceUri)
{
+ // Remove metadata for endpoints/features we don't support
+ configDict.Remove("revocation_endpoint_auth_methods_supported");
+ configDict.Remove("introspection_endpoint_auth_methods_supported");
+ configDict.Remove("backchannel_authentication_request_signing_alg_values_supported");
+
var dictReplace = new Dictionary();
foreach (var item in configDict)
{
diff --git a/src/Identity/Utilities/DiscoveryResponseGenerator.cs b/src/Identity/Utilities/DiscoveryResponseGenerator.cs
index 9e451be8ac2a..58d9252f2ddf 100644
--- a/src/Identity/Utilities/DiscoveryResponseGenerator.cs
+++ b/src/Identity/Utilities/DiscoveryResponseGenerator.cs
@@ -29,12 +29,6 @@ public override async Task> CreateDiscoveryDocumentAs
string baseUrl, string issuerUri)
{
var dict = await base.CreateDiscoveryDocumentAsync(baseUrl, issuerUri);
-
- // Remove metadata for endpoints/features we don't support
- dict.Remove("revocation_endpoint_auth_methods_supported");
- dict.Remove("introspection_endpoint_auth_methods_supported");
- dict.Remove("backchannel_authentication_request_signing_alg_values_supported");
-
return CoreHelpers.AdjustIdentityServerConfig(dict, _globalSettings.BaseServiceUri.Identity,
_globalSettings.BaseServiceUri.InternalIdentity);
}
From ce7a509b1f30af8bc409c2e3625d35b42f6df422 Mon Sep 17 00:00:00 2001
From: Ike Kottlowski
Date: Tue, 17 Mar 2026 14:34:36 -0400
Subject: [PATCH 4/5] test: add SSO discovery document tests
---
.../Endpoints/SsoConfigurationTests.cs | 35 ++++++
.../openid-configuration.json | 107 ++++++++++++++++++
2 files changed, 142 insertions(+)
create mode 100644 bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs
create mode 100644 bitwarden_license/test/Sso.IntegrationTest/openid-configuration.json
diff --git a/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs b/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs
new file mode 100644
index 000000000000..d26ce7b655de
--- /dev/null
+++ b/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs
@@ -0,0 +1,35 @@
+using System.Text.Json;
+using Bit.IntegrationTestCommon.Factories;
+using Bit.Sso.IntegrationTest.Utilities;
+using Bit.Test.Common.Helpers;
+using Xunit;
+
+namespace Bit.Sso.IntegrationTest.Endpoints;
+
+public class SsoConfigurationTests : IClassFixture
+{
+ private readonly SsoApplicationFactory _factory;
+
+ public SsoConfigurationTests(SsoApplicationFactory factory)
+ {
+ _factory = factory;
+ }
+
+ [Fact]
+ public async Task WellKnownEndpoint_Success()
+ {
+ var context = await _factory.Server.GetAsync("/.well-known/openid-configuration");
+
+ using var body = await AssertHelper.AssertResponseTypeIs(context);
+ var endpointRoot = body.RootElement;
+
+ // WARNING: Edits to this file should NOT just be made to "get the test to work" they should be made when intentional
+ // changes were made to this endpoint and proper testing will take place to ensure clients are backwards compatible
+ // or loss of functionality is properly noted.
+ await using var fs = File.OpenRead("openid-configuration.json");
+ using var knownConfiguration = await JsonSerializer.DeserializeAsync(fs);
+ var knownConfigurationRoot = knownConfiguration!.RootElement;
+
+ AssertHelper.AssertEqualJson(endpointRoot, knownConfigurationRoot);
+ }
+}
diff --git a/bitwarden_license/test/Sso.IntegrationTest/openid-configuration.json b/bitwarden_license/test/Sso.IntegrationTest/openid-configuration.json
new file mode 100644
index 000000000000..be88ecd19f97
--- /dev/null
+++ b/bitwarden_license/test/Sso.IntegrationTest/openid-configuration.json
@@ -0,0 +1,107 @@
+{
+ "issuer": "http://localhost",
+ "jwks_uri": "http://localhost:51822/.well-known/openid-configuration/jwks",
+ "authorization_endpoint": "http://localhost:51822/connect/authorize",
+ "token_endpoint": "http://localhost:51822/connect/token",
+ "userinfo_endpoint": "http://localhost:51822/connect/userinfo",
+ "end_session_endpoint": "http://localhost:51822/connect/endsession",
+ "check_session_iframe": "http://localhost/connect/checksession",
+ "revocation_endpoint": "http://localhost:51822/connect/revocation",
+ "introspection_endpoint": "http://localhost:51822/connect/introspect",
+ "device_authorization_endpoint": "http://localhost:51822/connect/deviceauthorization",
+ "backchannel_authentication_endpoint": "http://localhost:51822/connect/ciba",
+ "pushed_authorization_request_endpoint": "http://localhost:51822/connect/par",
+ "require_pushed_authorization_requests": false,
+ "frontchannel_logout_supported": true,
+ "frontchannel_logout_session_supported": true,
+ "backchannel_logout_supported": true,
+ "backchannel_logout_session_supported": true,
+ "scopes_supported": [
+ "openid",
+ "profile",
+ "offline_access"
+ ],
+ "claims_supported": [
+ "sub",
+ "name",
+ "family_name",
+ "given_name",
+ "middle_name",
+ "nickname",
+ "preferred_username",
+ "profile",
+ "picture",
+ "website",
+ "gender",
+ "birthdate",
+ "zoneinfo",
+ "locale",
+ "updated_at"
+ ],
+ "grant_types_supported": [
+ "authorization_code",
+ "client_credentials",
+ "refresh_token",
+ "implicit",
+ "urn:ietf:params:oauth:grant-type:device_code",
+ "urn:openid:params:grant-type:ciba"
+ ],
+ "response_types_supported": [
+ "code",
+ "token",
+ "id_token",
+ "id_token token",
+ "code id_token",
+ "code token",
+ "code id_token token"
+ ],
+ "response_modes_supported": [
+ "form_post",
+ "query",
+ "fragment"
+ ],
+ "token_endpoint_auth_methods_supported": [
+ "client_secret_basic",
+ "client_secret_post"
+ ],
+ "id_token_signing_alg_values_supported": ["RS256"],
+ "userinfo_signing_alg_values_supported": ["RS256"],
+ "introspection_signing_alg_values_supported": ["RS256"],
+ "subject_types_supported": ["public"],
+ "code_challenge_methods_supported": [
+ "plain",
+ "S256"
+ ],
+ "request_parameter_supported": true,
+ "request_object_signing_alg_values_supported": [
+ "RS256",
+ "RS384",
+ "RS512",
+ "PS256",
+ "PS384",
+ "PS512",
+ "ES256",
+ "ES384",
+ "ES512"
+ ],
+ "prompt_values_supported": [
+ "none",
+ "login",
+ "consent",
+ "select_account"
+ ],
+ "authorization_response_iss_parameter_supported": true,
+ "backchannel_token_delivery_modes_supported": ["poll"],
+ "backchannel_user_code_parameter_supported": true,
+ "dpop_signing_alg_values_supported": [
+ "RS256",
+ "RS384",
+ "RS512",
+ "PS256",
+ "PS384",
+ "PS512",
+ "ES256",
+ "ES384",
+ "ES512"
+ ]
+}
From a397fbc51d184a466ac8fe53493e8ebacd9f577a Mon Sep 17 00:00:00 2001
From: Ike Kottlowski
Date: Tue, 17 Mar 2026 14:45:54 -0400
Subject: [PATCH 5/5] chore: dotnet format
---
.../test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs b/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs
index d26ce7b655de..1bbee62902ae 100644
--- a/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs
+++ b/bitwarden_license/test/Sso.IntegrationTest/Endpoints/SsoConfigurationTests.cs
@@ -1,4 +1,4 @@
-using System.Text.Json;
+using System.Text.Json;
using Bit.IntegrationTestCommon.Factories;
using Bit.Sso.IntegrationTest.Utilities;
using Bit.Test.Common.Helpers;