Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Implement reference tokens support as an opt-in feature
See original GitHub issueObjective:
Offering built-in support for reference tokens in OpenIddict, so that things like immediate access token revocation can be easily achieved in OpenIddict-based apps.
Proposed API:
/// <summary>
/// Configures to OpenIddict to use reference tokens, so that authorization codes,
/// access tokens and refresh tokens are stored as ciphertext in the database
/// (only an identifier is returned to the client application). Enabling this option
/// is useful to keep track of all the issued tokens or when storing a very large
/// number of claims in the authorization codes, access tokens and refresh tokens.
/// Note: this option cannot be used when configuring JWT as the access token format.
/// </summary>
/// <param name="builder">The services builder used by OpenIddict to register new services.</param>
/// <returns>The <see cref="OpenIddictBuilder"/>.</returns>
public static OpenIddictBuilder UseReferenceTokens([NotNull] this OpenIddictBuilder builder)
{
if (builder == null)
{
throw new ArgumentNullException(nameof(builder));
}
return builder.Configure(options => options.UseReferenceTokens = true);
}
Usage:
public void ConfigureServices(IServiceCollection services)
{
// Register the OpenIddict services.
services.AddOpenIddict(options =>
{
// ...
// Configure OpenIddict to use reference tokens.
options.UseReferenceTokens();
});
}
Open question: should we have an equivalent to the aspnet-contrib validation middleware for reference tokens, or is the introspection middleware enough for this task?
Issue Analytics
- State:
- Created 6 years ago
- Comments:17 (13 by maintainers)
Top Results From Across the Web
Reference Tokens and Introspection - leastprivilege.com
Reference tokens (sometimes also called opaque tokens) on the other hand are just identifiers for a token stored on the token service.
Read more >Configuring reference token management - PingFederate
Go to Applications > OAuth > Access Token Management and click Create New Instance. On the Instance Configuration window, modify the default ...
Read more >Personal Access Tokens with IdentityServer4
The method IssueReferenceToken accepts parameters to customize the lifetime, the issuer and the claims of the token and returns a string token ......
Read more >Using Reference Tokens
If you are using reference tokens, you need an authentication handler that implements the back-channel validation via the OAuth 2.0 token introspection ...
Read more >Why should I use Reference Tokens?
Unlike API Keys, Reference Tokens are a more secure way to manage user authentication because they “inherit” the security features of Access ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Does the client id assigned to your resource server match the resource set when calling
ticket.SetResources()?It’s not supported (and couldn’t be implemented in a standard way anyway)