Consider not issuing TokenIssuedFailureEvent for use_dpop_nonce error

[runegri]

Which version of Duende IdentityServer are you using? HelseID is using v7.0.6

Which version of .NET are you using? .Net 8, latest patch release

Describe the bug The HelseID security profile requires that DPoP proofs should include a server generated DPoP nonce, in practice this means that all Token requests using DPoP will first end up failing with an error message containing the nonce value to be used in the next request. This works fine, but since IdentityServer returns an error message we end up polluting our logs with an endless list of TokenIssuedFailureEvents. It would be nice to have a way to change this behavior since this is an expected response.

To Reproduce Perform a token request where a server side generated nonce is required. Verify that a TokenIssuedFailureEvent is emitted.

Expected behavior It would be nice if the event was omitted for this error or if the behavior was configurable.

[josephdecock]

Thanks for raising this issue. I agree that we should not be raising the failure event when a server nonce is required. We'll aim to fix this in the 7.1 release. That doesn't have a firm release date yet, but it is planned for late 2024/early 2025.

My inclination is to entirely stop raising the event in the case of a server nonce being returned. (I don't think we want a config flag to get back to the current behavior.)

Would an event for nonce generation or an otel metric counting how often that is happening be useful?

[runegri]

At least for our use an event would be unnecessary. We require the server side nonce for all DPpP proofs. Telemetry on the other hand sounds like a reasonable and low cost measure.

This is not a big problem for us now, but as DPoP usage grows this will be a major annoyance for us in the future.