search

DuendeSoftware / Support

Support for Duende Software products
20 stars 0 forks source link

Introspection returning Active: true for expired token #1243

Closed FinHorsley closed 2 months ago

FinHorsley commented 3 months ago

Which version of Duende IdentityServer are you using? 7.0.0

Which version of .NET are you using? 8.0.204

Describe the bug An accessToken that has expired still returns { Active: true } from the introspection endpoint.

Could this be to do with clockSkew? I've hit this problem clientSide, but didn't know if the introspection endpoint follows the same pattern for token validation (aspnetcore by default is 5 mins)

To Reproduce

  1. Create a client_credentials client with accessToken expiry of 5 minutes (300s)
  2. Request an accessToken using client_credentials client
  3. Wait for 5mins (added additional 30s to be sure)
  4. Using the introspection endpoint with basic auth using client_credentials details from 1., get the introspection details about the token
  5. Although the accessToken is expired, the model still contains { Active: true }

Expected behavior The introspection endpoint returns Active: false as documented https://docs.duendesoftware.com/identityserver/v7/reference/endpoints/introspection/

Log output/exception with stacktrace

2024-05-02 14:40:08.959198 Debug . - Calling into custom token validator: "Duende.IdentityServer.Validation.DefaultCustomTokenValidator"      
2024-05-02 14:40:08.959297 Debug . - Token validation success
TokenValidationLog { ClientId: null, ClientName: null, ValidateLifetime: True, AccessTokenType: "Jwt", ExpectedScope: null, TokenHandle: null, JwtId: null, Claims: [("iss": "https://lab.lab"), ("nbf": 1714656898), ("iat": 1714656898), ("exp": 1714657203), ("aud": "api"), ("scope": "api"), ("client_id": "fa2d386c24f344d9bdf9f7e002134ec2") }      
2024-05-02 14:40:08.959346 Debug . - Validated access token      
2024-05-02 14:40:08.959372 Debug . - Introspection request validation successful.      
2024-05-02 14:40:08.959400 Verbose . - Calling into introspection response generator: "Duende.IdentityServer.ResponseHandling.IntrospectionResponseGenerator"      
2024-05-02 14:40:08.959427 Verbose . - Creating introspection response      
2024-05-02 14:40:08.959453 Debug . - Creating introspection response for active token.      
2024-05-02 14:40:08.959525 Information . - Success token introspection. Token active: True, for caller: "fa2d386c24f344d9bdf9f7e002134ec2"

note the time in the logs at 2024-05-02 14:40:08.959297 Debug . - Token validation success is after the "exp": 1714657203, which converted to DateTime is 02/05/2024 14:40:03

Additional context N/A

RolandGuijt commented 3 months ago

I'm curious why you are sending JWTs to the introspection endpoint. As its main purpose is to work with reference tokens. It works with JWTs for the rare cases where clients that are for some reason not able to do token validation themselves.

As you mentioned this has to do with ClockSkew which by default is set to 300 seconds (5 minutes). It is not designed to be customizable at this point because it is part of the TokenValidator which is critical for the operation of IdentityServer.

In the ValidateJwtAsync method an instance of TokenValidationParameters is created which has the clockskew set to 5 minutes. The only way to deviate from that really is to use your own TokenValidator that sets a different value for the ClockSkew in the TokenValidationParameters. But we don't recommend that. The default value should suffice for the vast majority of cases.

RolandGuijt commented 2 months ago

@FinHorsley Are you in the clear about this? If so I'd like to close this issue.

RolandGuijt commented 2 months ago

Closing for now, but feel free to reopen if needed.