Missing claims using Introspection
See original GitHub issueConfirm you’ve already contributed to this project or that you sponsor it
- I confirm I’m a sponsor or a contributor
Version
3.x
Question
Hello, I have 1 application which can work in standalone or proxy mode. In standalone mode an instance is responsible for verifying his tokens. In proxy mode token is generated on master instance and proxy verifies if token contain all required claims. We are using Yarp to forward requests to master instance.
First I configure my OpenIdDict to use local server in validation method but because these 2 applications have different signing keys, I had to change it to use introspection. However I notice that token doesn’t contain all claims which I can see on jwt.io (e.g. oi_tkn_id, scope).
I notice that configure method doesn’t work in my case. I tried to explain server to not validate signing key but it doesn’t work. I get this error message: The signing key associated to the specified token was not found.
services.AddOpenIddict()
.AddCore(options =>
{
options.UseEntityFrameworkCore()
.UseDbContext<ApplicationDbContext>()
.ReplaceDefaultEntities<Client, Authorization, Scope, Token, int>();
})
.AddServer(options =>
{
options
.SetTokenEndpointUris("/connect/token")
.SetRevocationEndpointUris("/connect/revocation")
.SetIntrospectionEndpointUris("/connect/introspect");
options.AddEventHandler<OpenIddictServerEvents.ProcessSignInContext>(builder =>
{
builder.UseInlineHandler(context =>
{
if (context.Transaction.Request != null)
{
context.Response["scope"] = string.Join(" ", context.Transaction.Request.GetScopes().OrderBy(z => z));
}
return default;
});
});
options.AddEventHandler<OpenIddictServerEvents.ProcessChallengeContext>(builder =>
{
builder.UseInlineHandler(context =>
{
var authPropertiesKey = typeof(AuthenticationProperties).ToString();
if (context.Transaction.Properties.ContainsKey(authPropertiesKey))
{
var props = context.Transaction.Properties[authPropertiesKey] as AuthenticationProperties;
context.Response["message"] = props.Items["message"];
}
return default;
});
});
options.AllowClientCredentialsFlow();
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
options.UseReferenceRefreshTokens();
options.RegisterScopes(
OpenIddictConstants.Permissions.Scopes.Profile.Replace(OpenIddictConstants.Permissions.Prefixes.Scope, string.Empty),
OpenIddictConstants.Permissions.Scopes.Roles.Replace(OpenIddictConstants.Permissions.Prefixes.Scope, string.Empty),
CustomScopes.APPLICATION,
CustomScopes.IDENTITY_SETUP,
CustomScopes.SUPPORT_PACKAGE);
options.SetAccessTokenLifetime(TimeSpan.FromHours(1));
options.SetRefreshTokenLifetime(TimeSpan.FromDays(7));
options.AddEncryptionCertificate(signingCertificate)
.AddSigningCertificate(signingCertificate);
options.DisableAccessTokenEncryption();
options.UseAspNetCore()
.EnableTokenEndpointPassthrough();
})
.AddValidation(options =>
{
options.Configure(c =>
{
c.TokenValidationParameters.ValidateIssuer = false;
c.TokenValidationParameters.ValidateIssuerSigningKey = false;
});
options.SetIssuer("https://localhost:44322/");
options.UseIntrospection()
.SetClientId(GeneralConstants.APP_CLIENT_ID)
.SetClientSecret(GeneralConstants.APP_CLIENT_SECRET);
options.UseSystemNetHttp();
//options.UseLocalServer();
options.UseAspNetCore();
});
Issue Analytics
- State:
- Created 10 months ago
- Comments:25 (12 by maintainers)
Top GitHub Comments
Thanks @kevinchalet, we rediscussed our architecture and we will change like you said. So, we will use introspection and issuer has to confirm token.
Hi @kevinchalet, I fixed my all issues 😃 Thank you for your helping 😃 I would like to use ChangeToken but currently I don’t understand how to use it with openIdDict configuration. I attached my current solution for others.