Closed dreampunchboy closed 1 year ago
This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.
The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.
Issue / Steps to reproduce the problem
Setup a basic mTSL client with AccessTokenType.Reference. Grab a new token and run an introspection on that token:
{ "iss": "https://localhost:5000", "nbf": 1643810842, "exp": 1643814442, "aud": [ "resource1", "resource2" ], "client_id": "mtlsref", "jti": "E70CF07882B9798FB9061388B6572664", "iat": 1643810842, "active": true, "scope": "resource1.scope1" }
Claim "cnf" is missing. Now do the same as above but for a client with AccessTokenType.Jwt and "cnf" is there.
The suggested fix: https://github.com/IdentityServer/IdentityServer4/blob/3ff3b46698f48f164ab1b54d124125d63439f9d0/src/IdentityServer4/src/Extensions/TokenExtensions.cs#L53-L56
The above or something similar needs to be added to the
ValidateReferenceAccessTokenAsync()
method within TokenValidator.cs as the TokenValidationResult gets passed back to create the response for Introspection.