PCL-Community · copytiao · Feb 15, 2026 · Feb 15, 2026 · Feb 16, 2026 · Feb 16, 2026
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/JsonWebToken/JsonWebKeys.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/JsonWebToken/JsonWebKeys.cs
@@ -0,0 +1,9 @@
+using Microsoft.IdentityModel.Tokens;
+using System.Text.Json.Serialization;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.JsonWebToken;
+
+public record JsonWebKeys
+{
+    [JsonPropertyName("keys")] public required JsonWebKey[] Keys;
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/OpenId/OpenIdClient.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/OpenId/OpenIdClient.cs
@@ -0,0 +1,57 @@
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using System.Windows.Documents;
+using PCL.Core.Minecraft.IdentityModel.Extensions.Pkce;
+using PCL.Core.Minecraft.IdentityModel.OAuth;
+using PCL.Core.Utils.Exts;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.OpenId;
+
+public class OpenIdClient(OpenIdOptions options):IOAuthClient
+{
+    private IOAuthClient? _client;
+
+    public async Task InitialAsync(CancellationToken token,bool checkAddress = false)
+    {
+        var opt = await options.BuildOAuthOptionsAsync(token);
+        if (!checkAddress || opt.Meta.AuthorizeEndpoint.IsNullOrEmpty() || opt.Meta.DeviceEndpoint.IsNullOrEmpty())
+        {
+            _client = options.EnablePkceSupport ? new PkceClient(opt) : new SimpleOAuthClient(opt);
+            return;
+        }
+
+        throw new InvalidOperationException();
+    }
+
+    public string GetAuthorizeUrl(string[] scopes, string redirectUri, string state,Dictionary<string,string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return _client.GetAuthorizeUrl(scopes, redirectUri, state, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithCodeAsync(string code, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.AuthorizeWithCodeAsync(code, token, extData);
+    }
+
+    public async Task<DeviceCodeData?> GetCodePairAsync(string[] scopes, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.GetCodePairAsync(scopes, token, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithDeviceAsync(DeviceCodeData data, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.AuthorizeWithDeviceAsync(data, token, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithSilentAsync(AuthorizeResult data, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.AuthorizeWithSilentAsync(data, token, extData);
+    }
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/OpenId/OpenIdMetaData.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/OpenId/OpenIdMetaData.cs
@@ -0,0 +1,41 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.OpenId;
+
+
+
+public record OpenIdMetadata
+{
+    [JsonPropertyName("issuer")]
+    public required string Issuer { get; init; }
+
+    [JsonPropertyName("authorization_endpoint")]
+    public string? AuthorizationEndpoint { get; init; }
+
+    [JsonPropertyName("device_authorization_endpoint")]
+    public string? DeviceAuthorizationEndpoint { get; init; }
+
+    [JsonPropertyName("token_endpoint")]
+    public required string TokenEndpoint { get; init; }
+
+    [JsonPropertyName("userinfo_endpoint")]
+    public required string UserInfoEndpoint { get; init; }
+
+    [JsonPropertyName("registration_endpoint")]
+    public string? RegistrationEndpoint { get; init; }
+
+    [JsonPropertyName("jwks_uri")]
+    public required string JwksUri { get; init; }
+
+    [JsonPropertyName("scopes_supported")]
+    public required IReadOnlyList<string> ScopesSupported { get; init; }
+
+    [JsonPropertyName("subject_types_supported")]
+    public required IReadOnlyList<string> SubjectTypesSupported { get; init; }
+
+    [JsonPropertyName("id_token_signing_alg_values_supported")]
+    public required IReadOnlyList<string> IdTokenSigningAlgValuesSupported { get; init; }
+
+
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/OpenId/OpenIdOptions.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/OpenId/OpenIdOptions.cs
@@ -0,0 +1,82 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Net.Http;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.Tokens;
+using PCL.Core.Minecraft.IdentityModel.Extensions.JsonWebToken;
+using PCL.Core.Minecraft.IdentityModel.OAuth;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.OpenId;
+
+public record OpenIdOptions(Func<HttpClient> GetHttpClient, string ConfigurationAddress)
+{
+    public string OpenIdDiscoveryAddress => ConfigurationAddress;
+    public required string ClientId
+    {
+        get;
+        set;
+    }
+
+    public bool OnlyDeviceAuthorize { get; set; }
+
+    public string? RedirectUri;
+
+    public Dictionary<string, string>? Headers { get; set; }
+
+    public bool EnablePkceSupport { get; set; } = true;
+    public Func<HttpClient> GetClient => GetHttpClient;
+    public OpenIdMetadata? Meta { get; set; }
+
+
+
+    public virtual async Task InitiateAsync(CancellationToken token)
+    {
+        using var request = new HttpRequestMessage(HttpMethod.Get, OpenIdDiscoveryAddress);
+        if (Headers is not null)
+            foreach (var kvp in Headers)
+            {
+                _ = request.Headers.TryAddWithoutValidation(kvp.Key, kvp.Value);
+            }
+
+        var requestTask = GetClient.Invoke().SendAsync(request, token);
+        using var response = await requestTask;
+        var task =  response.Content.ReadAsStringAsync(token);
+        Meta = JsonSerializer.Deserialize<OpenIdMetadata>(await task);
+    }
+
+    public async Task<JsonWebKey> GetSignatureKeyAsync(string kid,CancellationToken token)
+    {
+        if (Meta?.JwksUri is null) throw new InvalidOperationException();
+        using var request = new HttpRequestMessage(HttpMethod.Get, Meta.JwksUri);
+        if (Headers is not null)
+            foreach (var kvp in Headers)
+            {
+                _ = request.Headers.TryAddWithoutValidation(kvp.Key, kvp.Value);
+            }
+        using var response = await GetClient.Invoke().SendAsync(request, token);
+        var result = JsonSerializer.Deserialize<JsonWebKeys>(await response.Content.ReadAsStringAsync(token));
+        return result?.Keys.Single(k => k.Kid == kid) 
+               ?? throw new FormatException();
+    }
+
+    public virtual async Task<OAuthClientOptions> BuildOAuthOptionsAsync(CancellationToken token)
+    {
+        await InitiateAsync(token);
+        if(!OnlyDeviceAuthorize) ArgumentException.ThrowIfNullOrEmpty(RedirectUri);
+        return new OAuthClientOptions
+        {
+            GetClient = GetClient,
+            ClientId = ClientId,
+            RedirectUri = OnlyDeviceAuthorize ? string.Empty:RedirectUri!,
+            Meta = new EndpointMeta
+            {
+                AuthorizeEndpoint = Meta?.AuthorizationEndpoint??string.Empty,
+                DeviceEndpoint = Meta?.DeviceAuthorizationEndpoint??string.Empty,
+                TokenEndpoint = Meta!.TokenEndpoint,
+            }
+        };
+    }
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/Pkce/PkceChallengeOptions.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/Pkce/PkceChallengeOptions.cs
@@ -0,0 +1,7 @@
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.Pkce;
+
+public enum PkceChallengeOptions
+{
+    Sha256,
+    PlainText
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/Pkce/PkceClient.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/Pkce/PkceClient.cs
@@ -0,0 +1,58 @@
+using System;
+using PCL.Core.Utils.Exts;
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Threading;
+using System.Threading.Tasks;
+using PCL.Core.Minecraft.IdentityModel.OAuth;
+using PCL.Core.Utils.Hash;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.Pkce;
+
+/// <summary>
+/// 带 PKCE 支持的客户端 <br/>
+/// 此客户端并非线程安全，请勿在多个线程间共享示例
+/// </summary>
+/// <param name="options"></param>
+public class PkceClient(OAuthClientOptions options):IOAuthClient
+{
+    private byte[] _ChallengeCode { get; set; } = new byte[32];
+    private bool _isCallGetAuthorizeUrl;
+    public PkceChallengeOptions ChallengeMethod { get; private set; } = PkceChallengeOptions.Sha256;
+    private readonly SimpleOAuthClient _client = new(options);
+    public string GetAuthorizeUrl(string[] scopes, string redirectUri, string state, Dictionary<string, string>? extData)
+    {
+        RandomNumberGenerator.Fill(_ChallengeCode);
+        var hash = SHA256Provider.Instance.ComputeHash(_ChallengeCode);
+        extData ??= [];
+        extData["code_challenge"] = hash;
+        extData["code_challenge_method"] = "S256";
+        _isCallGetAuthorizeUrl = true;
+        return _client.GetAuthorizeUrl(scopes, redirectUri, state, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithCodeAsync(string code, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (!_isCallGetAuthorizeUrl) throw new InvalidOperationException("Challenge code is invalid");
+        var pkce = _ChallengeCode.FromBytesToB64UrlSafe();
+        extData ??= [];
+        extData["code_verifier"] = pkce;
+        _isCallGetAuthorizeUrl = false;
+        return await _client.AuthorizeWithCodeAsync(code, token, extData);
+    }
+
+    public async Task<DeviceCodeData?> GetCodePairAsync(string[] scopes, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        return await _client.GetCodePairAsync(scopes, token, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithDeviceAsync(DeviceCodeData data, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        return await _client.AuthorizeWithDeviceAsync(data, token, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithSilentAsync(AuthorizeResult data, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        return await _client.AuthorizeWithSilentAsync(data, token, extData);
+    }
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/YggdrasilConnect/YggdrasilClient.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/YggdrasilConnect/YggdrasilClient.cs
@@ -0,0 +1,77 @@
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using PCL.Core.Minecraft.IdentityModel.Extensions.OpenId;
+using PCL.Core.Minecraft.IdentityModel.OAuth;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.YggdrasilConnect;
+
+// Steven Qiu 说这东西完全就是 OpenId + 魔改了一部分，所以可以直接复用 OpenId 的逻辑
+
+/// <summary>
+/// 
+/// </summary>
+public class YggdrasilClient:IOAuthClient
+{
+
+    private OpenIdClient? _client;
+
+    private YggdrasilOptions _options;
+
+    public YggdrasilClient(YggdrasilOptions options)
+    {
+        _options = options;
+    }
+    /// <summary>
+    /// 
+    /// </summary>
+    /// <exception cref="ArgumentException">当无法获取 ClientId 时抛出，调用方应该设置 ClientId 并重新实例化 OpenId Client</exception>
+    /// <param name="token"></param>
+    public async Task InitialAsync(CancellationToken token)
+    {
+        _client = new OpenIdClient(_options);
+        await _client.InitialAsync(token);
+    }
+    /// <summary>
+    /// 获取授权端点地址
+    /// </summary>
+    /// <param name="scopes"></param>
+    /// <param name="redirectUri"></param>
+    /// <param name="state"></param>
+    /// <param name="extData"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException">未调用 <see cref="InitialAsync"/></exception>
+    public string GetAuthorizeUrl(string[] scopes, string redirectUri, string state, Dictionary<string, string>? extData)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return _client.GetAuthorizeUrl(scopes, redirectUri, state, extData);
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithCodeAsync(string code, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.AuthorizeWithCodeAsync(code, token, extData);
+
+    }
+
+    public async Task<DeviceCodeData?> GetCodePairAsync(string[] scopes, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.GetCodePairAsync(scopes, token, extData);
+
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithDeviceAsync(DeviceCodeData data, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.AuthorizeWithDeviceAsync(data, token, extData);
+
+    }
+
+    public async Task<AuthorizeResult?> AuthorizeWithSilentAsync(AuthorizeResult data, CancellationToken token, Dictionary<string, string>? extData = null)
+    {
+        if (_client is null) throw new InvalidOperationException();
+        return await _client.AuthorizeWithSilentAsync(data, token, extData);
+    }
+}
diff --git a/PCL.Core/Minecraft/IdentityModel/Extensions/YggdrasilConnect/YggdrasilConnectMetaData.cs b/PCL.Core/Minecraft/IdentityModel/Extensions/YggdrasilConnect/YggdrasilConnectMetaData.cs
@@ -0,0 +1,10 @@
+using System.Text.Json.Serialization;
+using PCL.Core.Minecraft.IdentityModel.Extensions.OpenId;
+
+namespace PCL.Core.Minecraft.IdentityModel.Extensions.YggdrasilConnect;
+
+public record YggdrasilConnectMetaData: OpenIdMetadata
+{
+    [JsonPropertyName("shared_client_id")]
+    public string? SharedClientId { get; init; }
+}