Merge pull request #247 from AdrianJSClark/oauth-authcode

Implement Callback to allow "Authorization Code Grant" Authentication

Author: AdrianJSClark

src/Aydsko.iRacingData.UnitTests/OAuth/OAuthPasswordLimitedAuthenticatingHttpClientTests.cs

@@ -35,7 +35,7 @@ public async Task GivenAnUnauthenticatedClient_WhenARequestIsMade_ThenTheTokenIs
                                                                                       "Secret-Client-Password");
 
         var fakeTimeProvider = new FakeTimeProvider(new(2025, 09, 13, 1, 0, 0, TimeSpan.Zero));
-        using var passwordLimitedClient = new OAuthPasswordLimitedAuthenticatingHttpClient(fakeHandler.GetClient(), options, fakeTimeProvider);
+        using var passwordLimitedClient = new PasswordLimitedOAuthAuthenticatingHttpClient(fakeHandler.GetClient(), options, fakeTimeProvider);
 
         using var testRequest = new HttpRequestMessage(HttpMethod.Get, new Uri("https://example.com/test-request"));
         var result = await passwordLimitedClient.SendAuthenticatedRequestAsync(testRequest).ConfigureAwait(false);
@@ -104,7 +104,7 @@ public async Task GivenAnAuthenticatedClient_WhenTimePasses_ThenTheRefreshTokenI
                                                                                       "Secret-Client-Password");
 
         var fakeTimeProvider = new FakeTimeProvider(new(2025, 09, 13, 1, 0, 0, TimeSpan.Zero));
-        using var passwordLimitedClient = new OAuthPasswordLimitedAuthenticatingHttpClient(fakeHandler.GetClient(), options, fakeTimeProvider);
+        using var passwordLimitedClient = new PasswordLimitedOAuthAuthenticatingHttpClient(fakeHandler.GetClient(), options, fakeTimeProvider);
 
         using var testRequest1 = new HttpRequestMessage(HttpMethod.Get, new Uri("https://example.com/test-request"));
         var result1 = await passwordLimitedClient.SendAuthenticatedRequestAsync(testRequest1).ConfigureAwait(false);

…sswordLimitedAuthenticatingHttpClient.cs …ata/OAuthAuthenticatingHttpClientBase.cssrc/Aydsko.iRacingData/OAuthPasswordLimitedAuthenticatingHttpClient.cs renamed to src/Aydsko.iRacingData/OAuthAuthenticatingHttpClientBase.cs src/Aydsko.iRacingData/OAuthPasswordLimitedAuthenticatingHttpClient.cs renamed to src/Aydsko.iRacingData/OAuthAuthenticatingHttpClientBase.cs

@@ -4,16 +4,48 @@
 
 namespace Aydsko.iRacingData;
 
-public class OAuthPasswordLimitedAuthenticatingHttpClient(HttpClient httpClient,
-                                                          iRacingDataClientOptions options,
-                                                          TimeProvider timeProvider)
-    : IDisposable, IAuthenticatingHttpClient
+public abstract class OAuthAuthenticatingHttpClientBase(HttpClient httpClient,
+                                                        iRacingDataClientOptions options,
+                                                        TimeProvider timeProvider)
+    : IDisposable
 {
+    protected HttpClient HttpClient { get; } = httpClient;
+    protected iRacingDataClientOptions Options { get; } = options;
+    protected TimeProvider TimeProvider { get; } = timeProvider;
+
     private readonly SemaphoreSlim loginSemaphore = new(1, 1);
-    private OAuthTokenResponse? tokenResponse;
+
     private DateTimeOffset? accessTokenExpiryInstantUtc;
-    private DateTimeOffset? refreshTokenExpiryInstantUtc;
     private bool disposedValue;
+    private DateTimeOffset? refreshTokenExpiryInstantUtc;
+    private OAuthTokenResponse? tokenResponse;
+
+    public void ClearLoggedInState()
+    {
+        tokenResponse = null;
+    }
+
+    // // TODO: override finalizer only if 'Dispose(bool disposing)' has code to free unmanaged resources
+    // ~OAuthAuthenticatingHttpClientBase()
+    // {
+    //     // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
+    //     Dispose(disposing: false);
+    // }
+
+    public void Dispose()
+    {
+        // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
+        Dispose(disposing: true);
+        GC.SuppressFinalize(this);
+    }
+
+    public async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
+                                                     HttpCompletionOption completionOption = HttpCompletionOption.ResponseContentRead,
+                                                     CancellationToken cancellationToken = default)
+    {
+        return await HttpClient.SendAsync(request, completionOption, cancellationToken)
+                               .ConfigureAwait(false);
+    }
 
     public async Task<HttpResponseMessage> SendAuthenticatedRequestAsync(HttpRequestMessage request,
                                                                          HttpCompletionOption completionOption = HttpCompletionOption.ResponseContentRead,
@@ -34,17 +66,20 @@ public async Task<HttpResponseMessage> SendAuthenticatedRequestAsync(HttpRequest
         return await SendAsync(request, completionOption, cancellationToken).ConfigureAwait(false);
     }
 
-    public async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request,
-                                                     HttpCompletionOption completionOption = HttpCompletionOption.ResponseContentRead,
-                                                     CancellationToken cancellationToken = default)
+    protected virtual void Dispose(bool disposing)
     {
-        return await httpClient.SendAsync(request, completionOption, cancellationToken)
-                               .ConfigureAwait(false);
-    }
+        if (!disposedValue)
+        {
+            if (disposing)
+            {
+                // TODO: dispose managed state (managed objects)
+                loginSemaphore.Dispose();
+            }
 
-    public void ClearLoggedInState()
-    {
-        tokenResponse = null;
+            // TODO: free unmanaged resources (unmanaged objects) and override finalizer
+            // TODO: set large fields to null
+            disposedValue = true;
+        }
     }
 
     private async Task<string> GetAccessTokenAsync(CancellationToken cancellationToken = default)
@@ -70,7 +105,7 @@ await loginSemaphore.WaitAsync(cancellationToken)
                 _ = loginSemaphore.Release();
             }
         }
-        else if (accessTokenExpiryInstantUtc <= timeProvider.GetUtcNow())
+        else if (accessTokenExpiryInstantUtc <= TimeProvider.GetUtcNow())
         {
             await loginSemaphore.WaitAsync(cancellationToken)
                                 .ConfigureAwait(false);
@@ -80,12 +115,12 @@ await loginSemaphore.WaitAsync(cancellationToken)
 #pragma warning disable IDE0074 // Use compound assignment
 
                 // If the refresh token doesn't exist or is expired it is no good so we'll need to request a whole new token.
-                if ((refreshTokenExpiryInstantUtc ?? DateTimeOffset.MinValue) <= timeProvider.GetUtcNow())
+                if ((refreshTokenExpiryInstantUtc ?? DateTimeOffset.MinValue) <= TimeProvider.GetUtcNow())
                 {
                     (tokenResponse, accessTokenExpiryInstantUtc, refreshTokenExpiryInstantUtc) = await RequestTokenAsync(cancellationToken).ConfigureAwait(false);
                     return tokenResponse.AccessToken;
                 }
-                else if (accessTokenExpiryInstantUtc <= timeProvider.GetUtcNow())
+                else if (accessTokenExpiryInstantUtc <= TimeProvider.GetUtcNow())
                 {
                     (tokenResponse, accessTokenExpiryInstantUtc, refreshTokenExpiryInstantUtc) = await RefreshTokenAsync(cancellationToken).ConfigureAwait(false);
                     return tokenResponse.AccessToken;
@@ -100,79 +135,7 @@ await loginSemaphore.WaitAsync(cancellationToken)
             }
         }
 
-            return tokenResponse.AccessToken;
-    }
-
-    private async Task<(OAuthTokenResponse Token, DateTimeOffset ExpiresAt, DateTimeOffset? RefreshTokenExpiresAt)> RequestTokenAsync(CancellationToken cancellationToken = default)
-    {
-        using var activity = AydskoDataClientDiagnostics.ActivitySource.StartActivity("Retrieve \"password_limited\" token", System.Diagnostics.ActivityKind.Client);
-
-        try
-        {
-            if (string.IsNullOrWhiteSpace(options.Username)
-                || string.IsNullOrWhiteSpace(options.Password)
-                || string.IsNullOrWhiteSpace(options.ClientId)
-                || string.IsNullOrWhiteSpace(options.ClientSecret))
-            {
-                throw new InvalidOperationException("All of \"Username\", \"Password\", \"ClientId\", and \"ClientSecret\" must be set in the options.");
-            }
-
-            if (string.IsNullOrWhiteSpace(options.AuthServiceBaseUrl)
-                || !Uri.TryCreate(options.AuthServiceBaseUrl, UriKind.Absolute, out var authServiceBaseUrl))
-            {
-                throw new InvalidOperationException("The \"AuthServiceBaseUrl\" must be a valid absolute URL in the iRacing Data Client options.");
-            }
-
-            var encodedPassword = options.PasswordIsEncoded ? options.Password : ApiClient.EncodePassword(options.Username!, options.Password!);
-            var encodedClientSecret = options.ClientSecretIsEncoded ? options.ClientSecret : ApiClient.EncodePassword(options.ClientId!, options.ClientSecret!);
-
-            using var newTokenRequest = new HttpRequestMessage(HttpMethod.Post,
-                                                               new Uri(authServiceBaseUrl, "/oauth2/token"))
-            {
-                Content = new FormUrlEncodedContent(
-                [
-                    new("grant_type", "password_limited"),
-                    new("client_id", options.ClientId),
-                    new("client_secret", encodedClientSecret),
-                    new("username", options.Username),
-                    new("password", encodedPassword),
-                    new("scope", "iracing.auth iracing.profile"),
-                ]),
-            };
-
-            var newTokenResponse = await httpClient.SendAsync(newTokenRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken)
-                                                   .ConfigureAwait(false);
-            var utcNow = timeProvider.GetUtcNow();
-
-            if (!newTokenResponse.IsSuccessStatusCode)
-            {
-#if NET6_0_OR_GREATER
-                var errorContent = await newTokenResponse.Content.ReadAsStringAsync(cancellationToken)
-                                                                 .ConfigureAwait(false);
-#else
-                var errorContent = await newTokenResponse.Content.ReadAsStringAsync()
-                                                                 .ConfigureAwait(false);
-#endif
-                throw new iRacingLoginFailedException($"Attempt to retrieve \"password_limited\" OAuth token failed with status code {newTokenResponse.StatusCode} and content: {errorContent}");
-            }
-
-            var token = await newTokenResponse.Content.ReadFromJsonAsync<OAuthTokenResponse>(cancellationToken)
-                                                      .ConfigureAwait(false)
-                        ?? throw new iRacingLoginFailedException("Failed to deserialize OAuth token response from iRacing API.");
-
-            var expiresAt = utcNow.AddSeconds(token.ExpiresInSeconds);
-            var refreshExpiresAt = token.RefreshTokenExpiresInSeconds != null ? utcNow.AddSeconds(token.RefreshTokenExpiresInSeconds.Value) : (DateTimeOffset?)null;
-
-            activity?.SetStatus(System.Diagnostics.ActivityStatusCode.Ok, "Token retrieved successfully");
-
-            return (token, expiresAt, refreshExpiresAt);
-        }
-        catch (Exception ex)
-        {
-            activity?.AddException(ex);
-            activity?.SetStatus(System.Diagnostics.ActivityStatusCode.Error, "Exception thrown retrieving token");
-            throw;
-        }
+        return tokenResponse.AccessToken;
     }
 
     private async Task<(OAuthTokenResponse Token, DateTimeOffset ExpiresAt, DateTimeOffset? RefreshTokenExpiresAt)> RefreshTokenAsync(CancellationToken cancellationToken = default)
@@ -181,14 +144,14 @@ await loginSemaphore.WaitAsync(cancellationToken)
 
         try
         {
-            if (string.IsNullOrWhiteSpace(options.ClientId)
-                || string.IsNullOrWhiteSpace(options.ClientSecret))
+            if (string.IsNullOrWhiteSpace(Options.ClientId)
+                || string.IsNullOrWhiteSpace(Options.ClientSecret))
             {
                 throw new InvalidOperationException("All of \"ClientId\" and \"ClientSecret\" must be set in the options.");
             }
 
-            if (string.IsNullOrWhiteSpace(options.AuthServiceBaseUrl)
-                || !Uri.TryCreate(options.AuthServiceBaseUrl, UriKind.Absolute, out var authServiceBaseUrl))
+            if (string.IsNullOrWhiteSpace(Options.AuthServiceBaseUrl)
+                || !Uri.TryCreate(Options.AuthServiceBaseUrl, UriKind.Absolute, out var authServiceBaseUrl))
             {
                 throw new InvalidOperationException("The \"AuthServiceBaseUrl\" must be a valid absolute URL in the iRacing Data Client options.");
             }
@@ -199,23 +162,23 @@ await loginSemaphore.WaitAsync(cancellationToken)
                 throw new InvalidOperationException("Previous response must have contained a refresh token value.");
             }
 
-            var encodedClientSecret = options.ClientSecretIsEncoded ? options.ClientSecret : ApiClient.EncodePassword(options.ClientId!, options.ClientSecret!);
+            var encodedClientSecret = Options.ClientSecretIsEncoded ? Options.ClientSecret : ApiClient.EncodePassword(Options.ClientId!, Options.ClientSecret!);
 
             using var newTokenRequest = new HttpRequestMessage(HttpMethod.Post,
                                                                new Uri(authServiceBaseUrl, "/oauth2/token"))
             {
                 Content = new FormUrlEncodedContent(
                 [
                     new("grant_type", "refresh_token"),
-                    new("client_id", options.ClientId),
+                    new("client_id", Options.ClientId),
                     new("client_secret", encodedClientSecret),
                     new("refresh_token", refreshToken),
                 ]),
             };
 
-            var newTokenResponse = await httpClient.SendAsync(newTokenRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken)
+            var newTokenResponse = await HttpClient.SendAsync(newTokenRequest, HttpCompletionOption.ResponseHeadersRead, cancellationToken)
                                                    .ConfigureAwait(false);
-            var utcNow = timeProvider.GetUtcNow();
+            var utcNow = TimeProvider.GetUtcNow();
 
             if (!newTokenResponse.IsSuccessStatusCode)
             {
@@ -248,33 +211,5 @@ await loginSemaphore.WaitAsync(cancellationToken)
         }
     }
 
-    protected virtual void Dispose(bool disposing)
-    {
-        if (!disposedValue)
-        {
-            if (disposing)
-            {
-                // TODO: dispose managed state (managed objects)
-                loginSemaphore.Dispose();
-            }
-
-            // TODO: free unmanaged resources (unmanaged objects) and override finalizer
-            // TODO: set large fields to null
-            disposedValue = true;
-        }
-    }
-
-    // // TODO: override finalizer only if 'Dispose(bool disposing)' has code to free unmanaged resources
-    // ~OAuthPasswordLimitedAuthenticatingHttpClient()
-    // {
-    //     // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
-    //     Dispose(disposing: false);
-    // }
-
-    public void Dispose()
-    {
-        // Do not change this code. Put cleanup code in 'Dispose(bool disposing)' method
-        Dispose(disposing: true);
-        GC.SuppressFinalize(this);
-    }
+    protected abstract Task<(OAuthTokenResponse Token, DateTimeOffset ExpiresAt, DateTimeOffset? RefreshTokenExpiresAt)> RequestTokenAsync(CancellationToken cancellationToken = default);
 }

src/Aydsko.iRacingData/OAuthCallbackAuthenticatingApiClient.cs

@@ -0,0 +1,42 @@
+using Aydsko.iRacingData.Exceptions;
+
+namespace Aydsko.iRacingData;
+
+public delegate Task<OAuthTokenResponse> GetOAuthTokenResponse(CancellationToken cancellationToken = default);
+
+public class OAuthCallbackAuthenticatingApiClient(HttpClient httpClient,
+                                                  iRacingDataClientOptions options,
+                                                  TimeProvider timeProvider)
+    : OAuthAuthenticatingHttpClientBase(httpClient, options, timeProvider), IAuthenticatingHttpClient
+{
+    protected override async Task<(OAuthTokenResponse Token, DateTimeOffset ExpiresAt, DateTimeOffset? RefreshTokenExpiresAt)> RequestTokenAsync(CancellationToken cancellationToken = default)
+    {
+        if (Options.OAuthTokenResponseCallback is null)
+        {
+            throw new InvalidOperationException("The OAuthTokenResponseCallback must be set in the options.");
+        }
+        using var activity = AydskoDataClientDiagnostics.ActivitySource.StartActivity("Retrieve token via callback", System.Diagnostics.ActivityKind.Client);
+
+        try
+        {
+            var token = await Options.OAuthTokenResponseCallback(cancellationToken)
+                                     .ConfigureAwait(false)
+                        ?? throw new iRacingLoginFailedException("The OAuthTokenResponseCallback returned null.");
+
+            var utcNow = TimeProvider.GetUtcNow();
+
+            var expiresAt = utcNow.AddSeconds(token.ExpiresInSeconds);
+            var refreshExpiresAt = token.RefreshTokenExpiresInSeconds != null ? utcNow.AddSeconds(token.RefreshTokenExpiresInSeconds.Value) : (DateTimeOffset?)null;
+
+            activity?.SetStatus(System.Diagnostics.ActivityStatusCode.Ok, "Token retrieved successfully");
+
+            return (token, expiresAt, refreshExpiresAt);
+        }
+        catch (Exception ex)
+        {
+            activity?.AddException(ex);
+            activity?.SetStatus(System.Diagnostics.ActivityStatusCode.Error, "Exception thrown retrieving token");
+            throw;
+        }
+    }
+}

src/Aydsko.iRacingData/Package Release Notes.txt

@@ -1,3 +1,14 @@
+NEW FEATURE: iRacing OAuth "Authorization Code Grant" Authentication
+- Allows authentication using the "/authorize" endpoint via a callback.
+- This authentication, or "Password Limited Grant", will be required after 9 Dec 2025 (see https://forums.iracing.com/discussion/84226/legacy-authentication-removal-dec-9-2025).
+- See https://oauth.iracing.com/oauth2/book/token_endpoint.html#authorization-code-grant for more information.
+
+
+
+============================
+ Release Notes for 2504.0.1
+============================
+
 BREAKING CHANGES:
 - "IDataClient.GetMemberChartData" method was removed. Use "IDataClient.GetMemberChartDataAsync" instead.
 - The "TrackScreenshotService" class has been removed. Use "IDataClient.GetTrackAssetScreenshotUris\" or "IDataClient.GetTrackAssetScreenshotUrisAsync" instead.