Open eddex opened 1 month ago
What's weird is that this information is already present in RefreshTokenCreationRequest.Client.AllowedScopes and I'm not sure why IS6.3 doesn't just take this information from there.
Just because the client application is configured to be allowed to use the scopes doesn't mean that the current user session allows them. It could be that the client application didn't request all scopes in the call to the authorize endpoint. In that case we can only give access to the scopes that were requests. Or if the client application requested all scopes the user might have opted out of some of them on the consent screen.
This code has had some changes to it since version 4.1. While these services are normally not called directly from outside code, they are public and available. We will have to investigate if we need to update the documentation.
Which version of Duende IdentityServer are you using? 6.3.9
Which version of .NET are you using? 6
Describe the bug After migrating my project from v4.1 to v6.3, I was facing two problems. Both problems resulted in an
ArgumentNullException
during token creation. I wasn't able to find any documentation about these breaking changes and it took me quite a while to figure out how to fix them. That's why I'm leaving this issue here.I am using the default
ITokenService
andIRefreshTokenService
(no custom implementations).To Reproduce
Problem 1: When I tried to create a new access-token, there was an
ArgumentNullException: "Value cannot be null. (Parameter 'value')"
when callingITokenService.CreateAccessTokenAsync(tokenCreationRequest)
. The exception happened when parsing claims. The 'iss' claim was in the list of claims but the value wasnull
.The solution was to set the property
TokenCreationRequest.ValidatedRequest.IssuerName
. This used to work without setting this property manually in v4.1.Problem 2: After fixing problem 1, I was able to successfully create an access-token and a refresh-token and use them to access my APIs. However, once the access-token expired and I tried to create a new access-token using the refresh-token, there was again an
ArgumentNullException: "Value cannot be null. (Parameter 'scopeValues')"
. This time it happened when callingIRefreshTokenService.CreateRefreshTokenAsync(refreshTokenCreationRequest)
.The solution was to set the
RefreshTokenCreationRequest.AuthorizedScopes
manually. This used to work without setting this property manually in v4.1. What's weird is that this information is already present inRefreshTokenCreationRequest.Client.AllowedScopes
and I'm not sure why IS6.3 doesn't just take this information from there. Is there a reason for that? Am I using this method wrongly?Expected behavior
In my opinion, this should be mentioned in one of the migration guides. I had a look at all the guides from 4.1->6.0, 6.0->6.1, 6.1->6.2 and 6.2->6.3 but didn't find any mention of these changes. Did I miss something?