Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Missing claims using Introspection
See original GitHub issueConfirm you’ve already contributed to this project or that you sponsor it
- I confirm I’m a sponsor or a contributor
Version
3.x
Question
Hello, I have 1 application which can work in standalone or proxy mode. In standalone mode an instance is responsible for verifying his tokens. In proxy mode token is generated on master instance and proxy verifies if token contain all required claims. We are using Yarp to forward requests to master instance.
First I configure my OpenIdDict to use local server in validation method but because these 2 applications have different signing keys, I had to change it to use introspection. However I notice that token doesn’t contain all claims which I can see on jwt.io (e.g. oi_tkn_id, scope).
I notice that configure method doesn’t work in my case. I tried to explain server to not validate signing key but it doesn’t work. I get this error message: The signing key associated to the specified token was not found.
services.AddOpenIddict()
.AddCore(options =>
{
options.UseEntityFrameworkCore()
.UseDbContext<ApplicationDbContext>()
.ReplaceDefaultEntities<Client, Authorization, Scope, Token, int>();
})
.AddServer(options =>
{
options
.SetTokenEndpointUris("/connect/token")
.SetRevocationEndpointUris("/connect/revocation")
.SetIntrospectionEndpointUris("/connect/introspect");
options.AddEventHandler<OpenIddictServerEvents.ProcessSignInContext>(builder =>
{
builder.UseInlineHandler(context =>
{
if (context.Transaction.Request != null)
{
context.Response["scope"] = string.Join(" ", context.Transaction.Request.GetScopes().OrderBy(z => z));
}
return default;
});
});
options.AddEventHandler<OpenIddictServerEvents.ProcessChallengeContext>(builder =>
{
builder.UseInlineHandler(context =>
{
var authPropertiesKey = typeof(AuthenticationProperties).ToString();
if (context.Transaction.Properties.ContainsKey(authPropertiesKey))
{
var props = context.Transaction.Properties[authPropertiesKey] as AuthenticationProperties;
context.Response["message"] = props.Items["message"];
}
return default;
});
});
options.AllowClientCredentialsFlow();
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
options.UseReferenceRefreshTokens();
options.RegisterScopes(
OpenIddictConstants.Permissions.Scopes.Profile.Replace(OpenIddictConstants.Permissions.Prefixes.Scope, string.Empty),
OpenIddictConstants.Permissions.Scopes.Roles.Replace(OpenIddictConstants.Permissions.Prefixes.Scope, string.Empty),
CustomScopes.APPLICATION,
CustomScopes.IDENTITY_SETUP,
CustomScopes.SUPPORT_PACKAGE);
options.SetAccessTokenLifetime(TimeSpan.FromHours(1));
options.SetRefreshTokenLifetime(TimeSpan.FromDays(7));
options.AddEncryptionCertificate(signingCertificate)
.AddSigningCertificate(signingCertificate);
options.DisableAccessTokenEncryption();
options.UseAspNetCore()
.EnableTokenEndpointPassthrough();
})
.AddValidation(options =>
{
options.Configure(c =>
{
c.TokenValidationParameters.ValidateIssuer = false;
c.TokenValidationParameters.ValidateIssuerSigningKey = false;
});
options.SetIssuer("https://localhost:44322/");
options.UseIntrospection()
.SetClientId(GeneralConstants.APP_CLIENT_ID)
.SetClientSecret(GeneralConstants.APP_CLIENT_SECRET);
options.UseSystemNetHttp();
//options.UseLocalServer();
options.UseAspNetCore();
});
Issue Analytics
- State:
- Created 10 months ago
- Comments:25 (12 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Thanks @kevinchalet, we rediscussed our architecture and we will change like you said. So, we will use introspection and issuer has to confirm token.
Hi @kevinchalet, I fixed my all issues 😃 Thank you for your helping 😃 I would like to use ChangeToken but currently I don’t understand how to use it with openIdDict configuration. I attached my current solution for others.