search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

"cnf" claim not present in reference token introspection. #5426

Closed dreampunchboy closed 1 year ago

dreampunchboy commented 2 years ago

Issue / Steps to reproduce the problem

Setup a basic mTSL client with AccessTokenType.Reference. Grab a new token and run an introspection on that token:

{ "iss": "https://localhost:5000", "nbf": 1643810842, "exp": 1643814442, "aud": [ "resource1", "resource2" ], "client_id": "mtlsref", "jti": "E70CF07882B9798FB9061388B6572664", "iat": 1643810842, "active": true, "scope": "resource1.scope1" }

Claim "cnf" is missing. Now do the same as above but for a client with AccessTokenType.Jwt and "cnf" is there.

The suggested fix: https://github.com/IdentityServer/IdentityServer4/blob/3ff3b46698f48f164ab1b54d124125d63439f9d0/src/IdentityServer4/src/Extensions/TokenExtensions.cs#L53-L56

The above or something similar needs to be added to the ValidateReferenceAccessTokenAsync() method within TokenValidator.cs as the TokenValidationResult gets passed back to create the response for Introspection.

leastprivilege commented 2 years ago

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.