IdentityShroud/IdentityShroud.Core/Services/ClientService.cs

using System.Security.Cryptography;
using IdentityShroud.Core.Contracts;
using IdentityShroud.Core.Model;
using Microsoft.EntityFrameworkCore;

namespace IdentityShroud.Core.Services;

public class ClientService(
    Db db,
    IDataEncryptionService cryptor,
    IClock clock) : IClientService
{
    public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)
    {
        Client client = new()
        {
            RealmId = realmId,
            ClientId = request.ClientId,
            Name = request.Name,
            Description = request.Description,
            SignatureAlgorithm = request.SignatureAlgorithm,
            AllowClientCredentialsFlow = request.AllowClientCredentialsFlow ?? false,
            CreatedAt = clock.UtcNow(),
        };
        
        if (client.AllowClientCredentialsFlow)
        {
            client.Secrets.Add(CreateSecret());
        }

        await db.AddAsync(client, ct);
        await db.SaveChangesAsync(ct);

        return client;
    }

    public async Task<Client?> GetByClientId(
        Guid realmId,
        string clientId, 
        CancellationToken ct = default)
    {
        return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);
    }

    public async Task<Client?> FindById(
        Guid realmId,
        int id, 
        CancellationToken ct = default)
    {
        return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);
    }

    private ClientSecret CreateSecret()
    {
        Span<byte> secret = stackalloc byte[24];
        RandomNumberGenerator.Fill(secret);

        return new ClientSecret()
        {
            CreatedAt = clock.UtcNow(),
            Secret = cryptor.Encrypt(secret.ToArray()),
        };

    }
}
5-improve-encrypted-storage (#6) Added the use of DEK's for encryption of secrets. Both the KEK's and DEK's are stored in a way that you can have multiple key of which one is active. But the others are still available for decrypting. This allows for implementing key rotation. Co-authored-by: eelke <eelke@eelkeklein.nl> Co-authored-by: Eelke76 <31384324+Eelke76@users.noreply.github.com> Reviewed-on: https://code.eelkeklein.nl/eelke/IdentityShroud/pulls/6 2026-02-27 17:57:42 +00:00			`using System.Security.Cryptography;`
			`using IdentityShroud.Core.Contracts;`
			`using IdentityShroud.Core.Model;`
			`using Microsoft.EntityFrameworkCore;`

			`namespace IdentityShroud.Core.Services;`

			`public class ClientService(`
			`Db db,`
			`IDataEncryptionService cryptor,`
			`IClock clock) : IClientService`
			`{`
			`public async Task<Result<Client>> Create(Guid realmId, ClientCreateRequest request, CancellationToken ct = default)`
			`{`
			`Client client = new()`
			`{`
			`RealmId = realmId,`
			`ClientId = request.ClientId,`
			`Name = request.Name,`
			`Description = request.Description,`
			`SignatureAlgorithm = request.SignatureAlgorithm,`
			`AllowClientCredentialsFlow = request.AllowClientCredentialsFlow ?? false,`
			`CreatedAt = clock.UtcNow(),`
			`};`

			`if (client.AllowClientCredentialsFlow)`
			`{`
			`client.Secrets.Add(CreateSecret());`
			`}`

			`await db.AddAsync(client, ct);`
			`await db.SaveChangesAsync(ct);`

			`return client;`
			`}`

			`public async Task<Client?> GetByClientId(`
			`Guid realmId,`
			`string clientId,`
			`CancellationToken ct = default)`
			`{`
			`return await db.Clients.FirstOrDefaultAsync(c => c.ClientId == clientId && c.RealmId == realmId, ct);`
			`}`

			`public async Task<Client?> FindById(`
			`Guid realmId,`
			`int id,`
			`CancellationToken ct = default)`
			`{`
			`return await db.Clients.FirstOrDefaultAsync(c => c.Id == id && c.RealmId == realmId, ct);`
			`}`

			`private ClientSecret CreateSecret()`
			`{`
			`Span<byte> secret = stackalloc byte[24];`
			`RandomNumberGenerator.Fill(secret);`

			`return new ClientSecret()`
			`{`
			`CreatedAt = clock.UtcNow(),`
			`Secret = cryptor.Encrypt(secret.ToArray()),`
			`};`

			`}`
			`}`