search

DuendeSoftware / Support

Support for Duende Software products
21 stars 0 forks source link

RevocationEndpoint not processed properly after update to OpenIdConnectConfigurationSerializer #1373

Closed simona-aveva closed 1 month ago

simona-aveva commented 2 months ago

Which version of Duende.AccessTokenManagement are you using? 2.1.0.0 Which version of .NET are you using? net8.0 Describe the bug Revocation Endpoint no longer populated correctly after to azure-activedirectory-identitymodel-extensions-for-dotnet A clear and concise description of what the bug is. RevocationEndpoint is now in a field in the OpenIdConnectConfiguration, no longer part of the AdditionalData as per this commit -> https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/2abca63b078a0b6b8d0e1b7fab13976387aca168/src/Microsoft.IdentityModel.Protocols.OpenIdConnect/Json/OpenIdConnectConfigurationSerializer.cs This means that the endpoint is not returned when copying to the OpenIdConnectClientConfiguration structure in GetOpenIdConnectConfigurationAsyncOpenIdConnectConfigurationService return new OpenIdConnectClientConfiguration { Scheme = configScheme,

        Authority = options.Authority,
        TokenEndpoint = configuration.TokenEndpoint,
        RevocationEndpoint = configuration.AdditionalData.TryGetValue(OidcConstants.Discovery.RevocationEndpoint, out var value) ? value?.ToString() : null,

        ClientId = options.ClientId,
        ClientSecret = options.ClientSecret,
        HttpClient = options.Backchannel,
    };

This then causes an InvalidOperationException to be thrown in UserTokenEndpointService RevokeRefreshTokenAsync.

To Reproduce Steps to reproduce the behavior. Configure a revocation endpoint and try to revoke.

Expected behavior

A clear and concise description of what you expected to happen. RevocationEndpoint is populated correctly and the RevokeRefreshTokenAsync function does not throw an exception.

Log output/exception with stacktrace

InvalidOperationException: Revocation endpoint not configured
Duende.AccessTokenManagement.OpenIdConnect.UserTokenEndpointService.RevokeRefreshTokenAsync(UserToken userToken, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in UserTokenEndpointService.cs
Duende.AccessTokenManagement.OpenIdConnect.UserAccessAccessTokenManagementService.RevokeRefreshTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in UserAccessTokenManagementService.cs
Microsoft.AspNetCore.Authentication.TokenManagementHttpContextExtensions.RevokeRefreshTokenAsync(HttpContext httpContext, UserTokenRequestParameters parameters, CancellationToken cancellationToken) in TokenManagementHttpContextExtensions.cs
Duende.Bff.PostConfigureApplicationCookieRevokeRefreshToken+<>c__DisplayClass5_0+<<CreateCallback>g__Callback|0>d.MoveNext() in PostConfigureApplicationCookieRevokeRefreshToken.cs
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler.HandleSignOutAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.SignOutAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Duende.Bff.DefaultLogoutService.ProcessRequestAsync(HttpContext context) in DefaultLogoutService.cs
Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
Duende.Bff.Endpoints.BffMiddleware.Invoke(HttpContext context) in BffMiddleware.cs
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
DevStudio.Host.Startup+<>c__DisplayClass9_0+<<Configure>b__1>d.MoveNext() in Startup.cs
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

data

Additional context

Add any other context about the problem here. I am very happy to produce a PR for this, just not sure about backwards functionailty.

stashaway commented 1 month ago

Any movement on this? I'm experiencing the same bug.

RolandGuijt commented 1 month ago

Most likely this has to do with the fact that you're using Microsoft.IdentityModel.* packages that are newer than the ones we tested. Please make sure that the versions of these packages match with the versions IdentityServer uses. (7.1.2 assuming you're using IdentityServer 7.06) More information on how to check and fix this here.

RolandGuijt commented 1 month ago

@simona-aveva Did my comment solve the issue for you? If not please feel free to add a comment. If it did I would like to close the issue.

AntonZhuchkovXOR commented 1 month ago

@RolandGuijt

Most likely this has to do with the fact that you're using Microsoft.IdentityModel.* packages that are newer than the ones we tested. Please make sure that the versions of these packages match with the versions IdentityServer uses.

Had the same issue. Yes, seems like upgrading Microsoft.Identity. and System.IdentityModel. packages to 8.0.* was a problem.

Downgrading them back to 7.6.0 did the trick.

simona-aveva commented 1 month ago

@RolandGuijt Rather than downgrade I just injected my own version of IOpenIdConnectConfigurationService with RevocationEndpoint = configuration.RevocationEndpoint, so please feel free to close the issue.

stashaway commented 2 weeks ago

When can we expect Duende to be compatible with version 8 of those packages?