ApiName and ApiSecret set to null

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core

Apache License 2.0

544 stars 214 forks source link

ApiName and ApiSecret set to null #110

Closed dsmailys closed 5 years ago

dsmailys commented 5 years ago

Hello,

I have a configuration of my web api as follows:

Within .AddAuthentication:

opt.DefaultChallengeScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
opt.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;

IdentityServerAuthentication configuration:

.AddIdentityServerAuthentication (opt =>
{
   opt.Authority = "{validAuthorityHere}";                           
   opt.ApiName = null;
   opt.ApiSecret = null;
});

If I send a valid JWT token (issued from the {validAuthorityHere}) I get a 200 response. Signatures did match, but no audience validation was performed here? If I send an invalid JWT token I receive the signatureValidationFailure. If I send malformed token, I receive a message: ""You must either set Authority or IntrospectionEndpoint"".

Is this intended behavior? Should you specify at least one audience for validation?

brockallen commented 5 years ago

Should you specify at least one audience for validation?

Yes, that's the job of ApiName

dsmailys commented 5 years ago

Should you specify at least one audience for validation?

Yes, that's the job of ApiName

Shouldn't then the app fail on startup or during the first request when options get validated? Because without ApiName property you basically disable audience validation. I am asking because I've stumbled upon a case when Authority was successfully set from configuration, but ApiName and ApiSecret were null unintentionally and I was very surprised when Jwt tokens worked while reference tokens got the exception.

brockallen commented 5 years ago

Possibly. We can think about it, but I do know some scenarios where people have wanted to not have an audience check and do it differently.

dsmailys commented 5 years ago

Got it. If this is intended, then no source code changes are needed. Maybe you would consider adding this behavior to the documentation then?

brockallen commented 5 years ago

@LindaLawton here's a possible doc update you might be willing to help out on?

LindaLawton commented 5 years ago

I could if I could think of a use case for this its not something I have run across before

dsmailys commented 5 years ago

@leastprivilege so no changes to the documentation even when this kind of behavior is intended?

leastprivilege commented 5 years ago

Feel free to propose a doc change.